CrushFTP on Friday released patches for a zero-day vulnerability in the file transfer server, warning customers of its in-the-wild exploitation.
Impacting CrushFTP versions 9, 10, and 11, the security defect allows an unauthenticated attacker to escape their virtual file system (VFS) and retrieve system files, potentially opening the door to further exploitation.
In its advisory, CrushFTP points out that customers using a DMZ server, which filters protocols and connections, are protected against attacks.
Patches were included in CrushFTP versions 10.71 and 11.1.0. Customers still using CrushFTP version 9 should upgrade to a patched release.
In a Friday notice to customers that was shared on Reddit, CrushFTP underlined that it was aware of in-the-wild exploitation, urging customers to apply the available patches immediately.
“Please take immediate action to patch ASAP. A vulnerability was reported today (April 19, 2024), and we patched it immediately. v10 version 10.71 is patched. v11 version 11.1.0 is patched. This vulnerability exists in the wild,” the vendor told customers.
CrushFTP has credited Simon Garrelou of Airbus CERT for discovering and reporting the vulnerability, but has not shared specific details on the observed attacks.
On Friday, cybersecurity firm CrowdStrike noted in a Reddit post that the vulnerability had been exploited in the wild in a targeted fashion, mainly against US entities.
CrowdStrike said the observed attacks were likely focused on intelligence gathering or might have been politically motivated, but did not share further details.
A proprietary multi-protocol file transfer server available for Windows, macOS, and Linux, CrushFTP has been around since 1999 and is available as shareware, with a tiered pricing model.
SecurityWeek has emailed CrushFTP for additional information on the zero-day exploitation and will update this article as soon as a reply arrives.
Related: PoC Code Published for Just-Disclosed Fortra GoAnywhere Vulnerability
Related: SEC Investigating Progress Software Over MOVEit Hack
Related: Accellion to Retire File Transfer Service Targeted in Attacks
Source: securityweek.com