Skip to the content.

DIVD-2024-00015 - Remote Command Execution in CrushFTP

Our reference DIVD-2024-00015
Case lead Stan Plasmeijer
Researcher(s)
CVE(s)
Products
  • CrushFTP
Versions
  • All versions below V10.7.1 and v11.1.0 are affected.
Recommendation CrushFTP recommends updating all versions within the v10 range to version v10.7.1. Additionally, all versions below v11.1.0 should be upgraded to v11.1.0. CrushFTP advises companies still using v9 to immediately upgrade to v11.
Patch status Released
Status Closed
Last modified 07 Aug 2024 13:53 CEST

Summary

A vulnerability has been identified in CrushFTP, enabling unauthenticated malicious actors to bypass CrushFTP’s Virtual File System, granting them access to sensitive system files.

Although using a DMZ for CrushFTP provides partial protection, unauthenticated malicious actors can still access sensitive CrushFTP configuration files.

This vulnerability is present in the CrushFTP web interface. Therefore, if only the SFTP port is exposed to the internet, you are protected from this vulnerability. However, updating to the latest version is still recommended as a precautionary measure.

Recommendations

CrushFTP recommends upgrading to the latest available version. Users running versions in the v10 range are advised to update to V10.7.1. Alternatively, upgrading to v11.1.0 is also an option.

For those operating CrushFTP servers within the v11 range, updating to v11.1.0 is recommended.

If your CrushFTP version falls within the v9 range, it’s strongly recommended to upgrade immediately to v11.1.0. Enterprise customers of CrushFTP can reach out to CrushFTP for assistance with obtaining a license code.

What we are doing

DIVD is currently identifying vulnerable instances and notifying the owners of these systems.

Timeline

Date Description
23 Apr 2024 DIVD starts researching this vulnerability.
23 Apr 2024 DIVD found a way to fingerprint vulnerable devices
23 Apr 2024 DIVD starts scanning the internet for vulnerable instances
23 Apr 2024 Case opened, first version of this casefile
23 Apr 2024 DIVD starts notifying network owners with a vulnerable instance in their network
07 May 2024 DIVD rescans the internet for vulnerable instances
07 May 2024 DIVD starts notifying network owners with a vulnerable instance for the second time
01 Jun 2024 DIVD rescans the internet for vulnerable instances
01 Jun 2024 DIVD starts notifying network owners with a vulnerable instance for the third time
01 Jun 2024 Case closed
gantt title DIVD-2024-00015 - Remote Command Execution in CrushFTP dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00015 - Remote Command Execution in CrushFTP (39 days) :2024-04-23, 2024-06-01 section Events DIVD starts researching this vulnerability. : milestone, 2024-04-23, 0d DIVD found a way to fingerprint vulnerable devices : milestone, 2024-04-23, 0d DIVD starts scanning the internet for vulnerable instances : milestone, 2024-04-23, 0d Case opened, first version of this casefile : milestone, 2024-04-23, 0d DIVD starts notifying network owners with a vulnerable instance in their network : milestone, 2024-04-23, 0d DIVD rescans the internet for vulnerable instances : milestone, 2024-05-07, 0d DIVD starts notifying network owners with a vulnerable instance for the second time : milestone, 2024-05-07, 0d DIVD rescans the internet for vulnerable instances : milestone, 2024-06-01, 0d DIVD starts notifying network owners with a vulnerable instance for the third time : milestone, 2024-06-01, 0d Case closed : milestone, 2024-06-01, 0d

More information