Full Report
Attackers are now targeting a critical authentication bypass vulnerability in the CrushFTP file transfer software using exploits based on publicly available proof-of-concept code. [...]
Analysis Summary
This summary focuses on the two distinct vulnerabilities in CrushFTP mentioned in the provided context.
# Vulnerability: CrushFTP Authentication Bypass and RCE Flaws
## CVE Details
- CVE ID: CVE-2024-4040 (Auth Bypass/VFS Escape)
- Severity: Critical (Implied by active exploitation and CISA inclusion)
- CWE: Not specified in the context.
- CVE ID: CVE-2023-43177 (Remote Code Execution)
- Severity: Critical (Implied by RCE nature)
- CWE: Not specified in the context.
## Affected Systems
- Products: CrushFTP
- Versions: Specific vulnerable versions are not listed, but patches were released for both CVEs.
- Configurations: General CrushFTP installations were vulnerable to these flaws.
## Vulnerability Description
**CVE-2024-4040 (April 2024):** An actively exploited zero-day vulnerability that allowed unauthenticated attackers to escape the user's virtual file system (VFS) context and download sensitive system files.
**CVE-2023-43177 (November 2023):** A critical Remote Code Execution (RCE) bug found in the enterprise suite.
## Exploitation
| Vulnerability | Status | Complexity | Attack Vector |
| :--- | :--- | :--- | :--- |
| **CVE-2024-4040** | Exploited in the wild (Targeted politically motivated campaign for intelligence-gathering) | Not specified (Implied Low/Medium given widespread exploitation) | Network (Likely pre-authentication) |
| **CVE-2023-43177** | PoC available (Released by discoverers months after patch) | Not specified | Network (Implied) |
## Impact
The combined impact of these vulnerabilities is severe:
- **Confidentiality:** High (System file download via VFS escape; potential data theft via RCE)
- **Integrity:** High (Potential for unauthorized modification via RCE)
- **Availability:** Medium/High (Service disruption possible depending on exploitation method)
## Remediation
### Patches
- **CVE-2024-4040:** Patched by CrushFTP in April 2024. Users must apply the corresponding security update.
- **CVE-2023-43177:** Patched by CrushFTP in November 2023. Users must apply the corresponding security update.
### Workarounds
No specific technical workarounds are detailed in the context provided, but the primary mitigation is immediate patching.
## Detection
- **CVE-2024-4040:** The vulnerability was included in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active threat actor use against federal agencies. Detection should focus on unusual file access patterns originating from network sessions or unauthorized attempts to read configuration files outside of expected user directories.
- **Detection Methods:** Monitoring server logs for anomalies related to file system traversal or unusual administrative commands. For federal systems, checking the CISA KEV catalog status is mandatory.
## References
- Vendor Advisory (CVE-2024-4040): [crushftp-warns-users-to-patch-exploited-zero-day-immediately](https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/)
- Vendor Advisory (CVE-2023-43177): [exploit-for-crushftp-rce-chain-released-patch-now](https://www.bleepingcomputer.com/news/security/exploit-for-crushftp-rce-chain-released-patch-now/)
- CISA KEV Inclusion: [cisa-adds-three-known-exploited-vulnerabilities-catalog](https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog)
- NVD Lookup (CVE-2024-4040): nvd.nist.gov/vuln/detail/CVE-2024-4040 (Defanged)
- NVD Lookup (CVE-2023-43177): nvd.nist.gov/vuln/detail/CVE-2023-43177 (Defanged)