Headline
Popular File Transfer Software CrushFTP Hit by Zero-Day Exploit
By Deeba Ahmed Popular File Transfer Software Hit by Zero-Day Exploit: Millions Potentially Exposed - Install Patches Right Now! This is a post from HackRead.com Read the original post: Popular File Transfer Software CrushFTP Hit by Zero-Day Exploit
A critical zero-day vulnerability in CrushFTP, a popular file transfer software, allows attackers to download sensitive system files. This puts millions of users at risk! Learn how to protect yourself from this exploit and secure your file transfers.
Attention file transfer users! A recently discovered zero-day exploit in CrushFTP, a popular enterprise file transfer software solution, has sent security researchers scrambling. This critical vulnerability could allow attackers to download sensitive system files, potentially compromising the security of millions of users worldwide.
****What is CrushFTP and Why Should You Care?****
CrushFTP is a widely used software program that enables secure file transfers between computers and servers, offering functionalities like FTP, SFTP, FTPS, WebDAV, and more. However, the recent discovery of a zero-day exploit raises concerns about the potential for unauthorized access and data breaches, making businesses/organizations using it for data exchanges vulnerable.
****How Does the Exploit Work?****
The vulnerability (CVE-2024-4040), identified by Simon Garrelou of Airbus CERT, allows attackers to bypass the software’s virtual file system (VFS) restrictions and download system files that are typically off-limits. This unauthorized access could lead to the theft of sensitive data, the installation of malicious software, and disruption of file transfer operations or server inoperability.
****Who is Affected?****
The exact number of affected users is unknown, but CrushFTP boasts a significant user base across various industries. Organizations of all sizes, from small businesses to large enterprises, could be at risk if they haven’t applied the latest security patch, details of which can be found in CrushFTP’s advisory.
“CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files. This has been patched in v11.1.0,” the advisory read.
It must be noted that customers operating CrushFTP instances within a demilitarized zone (DMZ) are safe from the attacks. The flaw is yet to receive a CVE identifier.
Cybersecurity firm CrowdStrike reported an exploit for the CrushFTP Zero-Day flaw targeting U.S. entities in what it believes is a politically motivated intelligence-gathering activity.
However, CrushFTP’s founder, Ben Spink, claims the company hasn’t received any user complaints as yet whereas the vulnerability was patched within hours of identification.
To update CrushFTP to the latest version v11.1.0, log in to the dashboard, click the About tab, and click Update> Update Now. Wait 5 minutes for files to download, unzip, and copy, then auto-restart CrushFTP.
- WinRAR users update software as 0-day vulnerability is found
- WeTransfer phishing attack spoofs file-sharing to steal credential
- APT Winter Vivern Exploits Roundcube 0-Day against European Entities
Related news
An exploit for the vulnerability allows unauthenticated attackers to escape a virtual file system sandbox to download system files and potentially achieve RCE.