Description

A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.

Classification

CVE ID: CVE-2024-4040

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor: CrushFTP

Product: CrushFTP

Nuclei Template

http/cves/2024/CVE-2024-4040.yaml

Exploit Prediction Scoring System (EPSS)

EPSS Score: 96.77% (probability of being exploited)

EPSS Percentile: 99.8% (scored less or equal to compared to others)

EPSS Date: 2025-03-05 (when was this score calculated)

References

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update
https://www.reddit.com/r/cybersecurity/comments/1c850i2/all_versions_of_crush_ftp_are_vulnerable/
https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/
https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/
https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/
https://github.com/airbus-cert/CVE-2024-4040

Timeline