globe with a red arrow through the middle, and dark blue text saying Direct Cyber

VFS Sandbox Escape in CrushFTP

Credit

Simon Garrelou, of Airbus CERT

Details

CVE-2024-4040

A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server. It is being actively exploited in the wild by APT actors.

References

  1. CVE-2024-4040 on NVD
  2. Vendor advisory from CrushFTP
  3. Crowdstrike Situational Awareness