Skip to content
Analyst Insight: Download your copy of the Gartner® Hype Cycle™ for Security Operations, 2024 Report today! | Get Report
Advisory

April 22, 2024: CrushFTP zero day vulnerability allows unauthorized file downloads CVE-2024-4040

Global Impact (at time of dissemination)

• 9,600+ publicly-exposed CrushFTP hosts (virtual & physical) with exposed WebInterfaces

Top affected countries:
1. US
2. Germany
3. Canada
4. UK
5. Netherlands


Summary

Censys is aware that on April 19, 2024, CrushFTP informed its users that it discovered and released a patch for a zero day vulnerability that allows unauthenticated and authenticated users with low privileges to retrieve system files that are not part of their virtual file system (VFS) via the WebInterface. This bug affects all versions of CrushFTP below version 11.1. The zero day is currently being exploited in the wild.

Asset Description
CrushFTP describes itself as “enterprise grade file transfer for everyone” that touts being able to run on most operating systems. FTP, or File Transfer Protocol, is meant to allow users to transfer large and/or varied types of files quickly and securely. This specific vulnerability concerns CrushFTP WebInterface, a browser-based application that pairs with an FTP server.

Impact

Potential Consequences of Successful Exploitation
This vulnerability could potentially allow users to escape the CrushFTP virtual file system (VFS) and download system files. Given that file transfer tools are often used for transferring large, sensitive documents and data, this vulnerability may grant internal users with unauthorized access to files beyond their permissions or enable attackers to download sensitive information. This issue is currently seeing active exploitation in the wild.

Affected Assets

According to CrushFTP, this issue affects all versions of CrushFTP below version 11.1.
Censys’ Rapid Response Team was able to identify hosts exposing a CrushFTP WebInterface application. Below are queries for hosts running CrushFTP with exposed WebInterfaces. These hosts are publicly facing and recently observed from our scans.

Censys ASM Risk Name for Potentially Vulnerable Devices

Exposed CrushFTP WebInterface”
The query above will find exposed CrushFTP WebInterfaces associated with your organization in your ASM workspace within approximately 24 hours.

Censys ASM Query for Exposed Assets.
This query is shared for customers who wish to refine or alter versioning for customized operations.

Censys Search Queries
are shared directly with Censys customers. If you would like to obtain the Censys query to identify global instances related to this issue, or need help, please contact us.

Recommendations for remediation

If you need assistance in positively identifying these assets, please let us know.
Attack Surface Management Solutions
Learn more