Critical Update: CrushFTP Zero-Day Flaw Exploited in Targeted Attacks

CrushFTP Zero-Day Flaw

Users of the CrushFTP enterprise file transfer software are being urged to update to the latest version following the discovery of a security flaw that has come under targeted exploitation in the wild.

“CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files,” CrushFTP said in an advisory released Friday. “This has been patched in v11.1.0.”

That said, customers who are operating their CrushFTP instances within a DMZ (demilitarized zone) restricted environment are protected against the attacks.

Simon Garrelou of Airbus CERT has been credited with discovering and reporting the flaw. It has yet to be assigned a CVE identifier.

Cybersecurity company CrowdStrike, in a post shared on Reddit, said it has observed an exploit for the flaw being used in the wild in a “targeted fashion.”

CrushFTP Zero-Day Flaw

These intrusions are said to have mainly targeted U.S. entities, with the intelligence gathering activity suspected to be politically motivated.

“CrushFTP users should continue to follow the vendor’s website for the most up-to-date instructions and prioritize patching,” CrowdStrike said.

Update#

When reached for comment, CrushFTP’s founder and president Ben Spink told The Hacker News that it’s aware of a report from CrowdStrike about active exploitation of the flaw, but noted that the company hasn’t heard anything from its customers so far.

Spink also emphasized that no additional technical details about the issue has been made public either by CrushFTP or Airbus. The Hacker News has reached out to CrowdStrike for additional comments, and we will update the story if we hear back.

“We patched the vulnerability within a couple hours of being made aware of it, and then worked through eating and confirming the fix before issuing emails to everyone on the notification list of emergency updates,” Spink said.

“10.7.1 patches all v10 versions and 11.1 patches all v11 versions. No one should still be running v9. Customers who have paid for extended support can contact us for a patched v9 version.”

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top