CVE-2024-53552 (CVSS 9.8): CrushFTP Flaw Exposes Users to Account Takeover
CrushFTP, a popular file transfer server known for its robust features and user-friendly interface, has issued an urgent security advisory regarding a critical vulnerability that could lead to account takeover. The flaw, tracked as CVE-2024-53552 and assigned a CVSS score of 9.8, affects CrushFTP versions 10 before 10.8.3 and 11 before 11.2.3.
Exploiting Password Reset Functionality
The vulnerability stems from how these versions handle password reset requests. An attacker can exploit this flaw by manipulating the password reset email link. If an unsuspecting user clicks on the malicious link, their account is immediately compromised, granting the attacker full control.
Immediate Action Required
CrushFTP urges all users to update their servers to the latest versions (10.8.3 or 11.2.3) as soon as possible. In addition to patching, administrators must configure allowed email reset URL domains to further enhance security.
This vulnerability is particularly concerning given CrushFTP’s popularity and history as a target for cybercriminals. Earlier this year, CrushFTP servers were found vulnerable to a critical server-side template injection (SSTI) vulnerability (CVE-2024-4040), which allowed for remote code execution. Attackers exploited this flaw in a suspected politically motivated intelligence-gathering campaign against multiple U.S. organizations
Protecting Your CrushFTP Server
To mitigate the risk associated with CVE-2024-53552, users should take the following steps:
- Update: Immediately upgrade to CrushFTP version 10.8.3 or 11.2.3 or later.
- Configure: Restrict password reset emails to trusted domains.
- Monitor: Regularly monitor server logs for suspicious activity.
- Educate: Train users to be cautious of unexpected password reset emails and to avoid clicking on suspicious links.