Zero-Day Vulnerability CVE-2024-4040 in CrushFTP
A zero-day vulnerability is being exploited in the wild that could allow an attacker to escape the virtual file system (VFS) and download system files
Summary
A zero-day vulnerability is being exploited in the wild that could allow an attacker to escape the virtual file system (VFS) and download system files
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
A vulnerability has been disclosed in CrushFTP, a file server supporting standard secure file transfer protocols, after being discovered by a security researcher. The zero-day vulnerability, known as CVE-2024-4040, has a CVSSv3 score of 9.8 and could allow an attacker to escape the virtual file system (VFS) and download system files.
Exploitation in the wild for CVE-2024-4040
Reports of exploitation in the wild of this vulnerability disclose a short time period before attackers are able to achieve their goals. Proof-of-concept code has been published, and it is reported as being trivial to exploit.
Threat updates
| Date | Update |
|---|---|
| 24 Apr 2024 |
Vulnerability has been named as CVE-2024-4040
This cyber alert was updated to reflect the addition of a CVE identifier and updated information about proof-of-concept. |
Remediation advice
Affected organisations are encouraged to review the latest CrushFTP release notes for 11.1 and install the relevant update.
Definitive source of threat updates
Last edited: 24 April 2024 1:43 pm