CrushFTP warned clients of an unauthenticated HTTP(S) port entry vulnerability and urged them to patch their servers instantly.
As the corporate additionally defined in an electronic mail despatched to clients on Friday (seen by BleepingComputer), the safety flaw permits attackers to realize unauthenticated entry to unpatched servers if they’re uncovered on the Web over HTTP(S).
“Please take instant motion to patch ASAP. A vulnerability has been addressed at this time (March twenty first, 2025). All CrushFTP v11 variations had been affected. (No earlier variations are affected.) A CVE might be generated quickly,” the corporate warned.
“The underside line of this vulnerability is that an uncovered HTTP(S) port might result in unauthenticated entry. The vulnerability is mitigated You probably have the DMZ function of CrushFTP in place.”
Whereas the e-mail says this vulnerability solely impacts CrushFTP v11 variations, an advisory issued on the identical day says that each CrushFTP v10 and v11 are impacted, as cybersecurity firm Rapid7 first famous.
As a workaround, those that cannot instantly replace CrushFTP v11.3.1+ (which fixes the flaw) can allow the DMZ (demilitarized zone) perimeter community possibility to guard their CrushFTP occasion till safety updates could be deployed.
In line with Shodan, over 3,400 CrushFTP cases have their internet interface uncovered on-line to assaults, though BleepingComputer could not decide what number of have already been patched.
In April 2024, CrushFTP additionally launched safety updates to patch an actively exploited zero-day vulnerability (CVE-2024-4040) that allowed unauthenticated attackers to flee the consumer’s digital file system (VFS) and obtain system information.
On the time, cybersecurity firm CrowdStrike discovered proof pointing to an intelligence-gathering marketing campaign, probably politically motivated, with the attackers concentrating on CrushFTP servers at a number of U.S. organizations.
CISA added CVE-2024-4040 to its Identified Exploited Vulnerabilities catalog, ordering U.S. federal businesses to safe susceptible servers on their networks inside per week.
In November 2023, CrushFTP clients had been additionally warned to patch a essential distant code execution vulnerability (CVE-2023-43177) within the firm’s enterprise suite after Converge safety researchers who reported the flaw launched a proof-of-concept exploit three months after the flaw was addressed.
File switch merchandise like CrushFTP are enticing targets for ransomware gangs, particularly Clop, which was linked to knowledge theft assaults concentrating on zero-day vulnerabilities in MOVEit Switch, GoAnywhere MFT, Accelion FTA, and Cleo software program.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and how you can defend in opposition to them.
