Critical CrushFTP zero-day vulnerability under attack

A critical CrushFTP zero-day vulnerability is being exploited in the wild and could allow an attacker to bypass authentication, gain administrative access and perform full remote code execution on the file transfer server.

The managed file transfer vendor publicly disclosed the server-side template injection vulnerability, now tracked as CVE-2024-4040, in an advisory on April 19 following a private email notification to customers earlier that day. The zero-day vulnerability affects CrushFTP Virtual File System (VFS) in all versions below 11.1, but the vendor released a patch on April 19 with instructions on how to upgrade to the fixed version. CrushFTP credited Simon Garrelou, security engineer at Airbus CERT, for discovering and reporting the vulnerability.

Airbus CERT observed active exploitation, and it wasn't the only vendor to do so. In an advisory posted to Reddit on April 19, CrowdStrike said it observed active exploitation of CVE-2024-4040 as a zero-day. The cybersecurity vendor added that exploitation was done in a "targeted fashion" and revealed attack motives.

The advisory also referenced an additional threat report for CrowdStrike customers, titled "CSA-240466 Targeted Intrusion Actor Exploits CrushFTP Servers at Multiple U.S. Entities; Intelligence-Gathering Activity Possibly Politically Motivated."

TechTarget Editorial contacted CrowdStrike for additional information, but the vendor said it had nothing further to add at press time.

Upon initial disclosure, the zero-day vulnerability was not assigned a CVE. A security engineer known as "h4sh," founder of DirectCyber, a volunteer-driven Cyber Security Incident Response Team based in Australia, assigned the vulnerability CVE-2024-4040 on Monday. In a Mastodon post, h4sh also referred to the flaw as a "VFS Sandbox Escape" and revealed that exploitation allows "remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox."

Garrelou published a proof-of-concept exploit for CVE-2024-4040 through GitHub on Tuesday, which could mean attacks are likely to increase. Recent attacks show file transfer products are popular targets for threat actors. One prime example is the Clop ransomware gang's campaign against Progress Software's MoveIt Transfer last year. Without even deploying ransomware, threat actors stole sensitive data and claimed thousands of victims, including U.S. government agencies.

In a blog post on Tuesday, Tenable researcher Satnam Narang revealed that a Shodan scan showed more than 7,100 internet-exposed CrushFTP servers. However, Narang added that it's difficult to assess how many of those are actually vulnerable to attacks.

Threat intelligence software vendor Censys also scanned for internet-facing CrushFTP instances and found 4,899 hosts running 5,704 unique CrushFTP instances, as of Tuesday. Censys observed that more than 2,750 of the CrushFTP instances were hosted in the U.S.

"This is comparable to the levels of exposure observed a week ago on April 16, 2024, with minor fluctuations of around 50 to 60 instances," Censys wrote in a blog post.

Because CrushFTP had recently released the fix, Censys estimated that many instances remained unpatched. The vendor also cited issues with CrushFTP's advisory, including inconsistences for customers running version 10 compared with version 11, and stressed that mitigation instructions had a "hesitant tone."

"While it's commendable that CrushFTP promptly patched the issue after it was disclosed, this is one of the more confusing security advisories we've seen," Censys said.

Caitlin Condon, director of vulnerability research and intelligence at Rapid7, expanded on the vulnerability in a blog post also published on Tuesday. Further analysis by Rapid7's vulnerability research team revealed that CVE-2024-4040 is "fully unauthenticated and trivially exploitable." More alarmingly, Condon warned customers that successful exploitation could allow an attacker to "potentially exfiltrate all files stored on the CrushFTP instance."

Rapid7 urged customers to follow CrushFTP's mitigation recommendations and confirmed that patching tests successfully remediated CVE-2024-4040. However, Rapid7 warned customers that they could face detection challenges.

"Payloads for CVE-2024-4040 can be delivered in many different forms. When certain evasive techniques are leveraged, payloads will be redacted from logs and request history, and malicious requests will be difficult to discern from legitimate traffic," Condon wrote in the blog.

Rapid7 advised CrushFTP customers to enact the managed file transfer vendor's Limited Server mode, which helps secure server configuration files and data.

TechTarget Editorial contacted CrushFTP regarding reports of exploitation. The vendor provided the following statement:

We have not yet received any reports from any customers of a successful exploit. Airbus CERT reported they had observed it in the wild, so we believe them, as they reported the vulnerability to us. We are hopeful customers will get updated before it becomes actively used in the wild. We are assisting customers in updating as fast as we can currently. Updating is simple, and customers should already be in practice of doing regular updates.

We are being flooded with emails, so we know the news about this has gotten many customers' attention, which in a way is a good thing as they are staying vigilant about being up to date. We have seen lots of servers being probed, checking if they are vulnerable and grabbing some default items. We have not seen anything beyond that. Anyone with a public server will get scanned fairly quickly as this has gained in popularity and there are lots of people scanning for servers that have not been updated.

CrushFTP said it has only received reports of exploitation from Airbus CERT. The vendor added that it does not track metrics regarding how many customers have completed updates.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.