Critical Vulnerability in CrushFTP

The critical vulnerability assigned CVE-2023-43177 could allow remote code execution on affected devices

Threat ID:: CC-4411
Threat Severity:: Medium
Published:: 20 November 2023 3:50 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

The critical vulnerability assigned CVE-2023-43177 could allow remote code execution on affected devices

Affected platforms

The following platforms are known to be affected:

Versions: all prior to 10.5.2

CrushFTP

Threat details

Introduction

A critical vulnerability has been disclosed in CrushFTP after being discovered by security researchers. Assigned CVE-2023-43177, the vulnerability could allow an unauthenticated attacker to access files stored on the server, execute code remotely, or obtain plaintext passwords.

Proof-of-concept for exploitation of CVE-2023-43177

A proof-of-concept (PoC) for the exploitation of CVE-2023-43177 has been publicly released. Exploitation is more likely.

Remediation advice

Affected organisations are encouraged to review the latest CrushFTP release notes and install the relevant update.

Definitive source of threat updates

https://www.crushftp.com/version10.html

CVE Vulnerabilities

Status Published

CVE-2023-43177

CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.

Last edited: 20 November 2023 3:50 pm