CVE-2024-4040: CrushFTP Users Targeted in Zero-Day Attack Campaign

CVE-2024-4040

A new critical vulnerability has emerged, targeting users of the popular enterprise file transfer software, CrushFTP. This zero-day flaw, identified as CVE-2024-4040 with a CVSS score of 7.7, poses a severe risk to organizations using versions before 10.7.1 and 11.1.0 on all supported platforms. It allows attackers with minimal privileges to escape the Virtual File System (VFS) sandbox and access sensitive files beyond their authorized reach.

CVE-2024-4040

What’s the Vulnerability?

The vulnerability was discovered by Simon Garrelou of Airbus CERT and has been confirmed by cybersecurity experts at CrowdStrike.

The CVE-2024-4040 vulnerability allows attackers with even basic user privileges to break out of the CrushFTP virtual file system (VFS) “sandbox.” In other words, they can escape the intended data access restrictions to read any files on the system where the software is installed. This flaw affects all CrushFTP versions before 10.7.1 and 11.1.0.

Why is it Dangerous?

CrushFTP is used by many organizations to manage sensitive information and confidential documents. A successful attack could let threat actors infiltrate systems, potentially uncovering trade secrets, government data, or personally identifiable information.

Who’s Behind It?

CrowdStrike’s intelligence teams have observed widespread exploitation of this vulnerability against multiple US organizations. The attack patterns suggest intelligence gathering as the primary motive, leading researchers to speculate on a politically-motivated campaign.

What Can You Do?

  1. Patch Immediately: If you use CrushFTP, update to the latest version (10.7.1 or 11.1.0) without delay. These versions address the security flaw.
  2. Consider a DMZ: Organizations that deploy CrushFTP within a demilitarized zone (DMZ) have some inherent protection from this specific exploit.
  3. Enhanced Monitoring: Security teams should be on high alert, closely monitoring network traffic for signs of unusual activity around CrushFTP installations.