← back
CVE-2024-4040

Unauthenticated arbitrary file read and remote code execution in CrushFTP

CVSS 9.8 CRITICALEPSS 99.5%● KEVCWE-1336
In short

CrushFTP has a critical flaw that lets attackers without any login credentials read files from the server, take over as administrator, and run harmful code—all remotely and without authentication.

Technical detail

A server-side template injection vulnerability in CrushFTP versions before 10.7.1 and 11.1.0 allows unauthenticated remote attackers to execute arbitrary code and bypass authentication mechanisms. The vulnerability enables unauthorized file system access outside the VFS sandbox and elevation to administrative privileges, affecting all platforms.

Summary generated and translated by AI from the official description.
A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
CrushFTP · CrushFTP
public PoCs found19
githubgithub.com/Stuub/CVE-2024-4040-SSTI-LFI-PoC63cve_referencegithub.com/airbus-cert/CVE-2024-404052githubgithub.com/rbih-boulanouar/CVE-2024-404014githubgithub.com/geniuszly/GenCrushSSTIExploit8githubgithub.com/gotr00t0day/CVE-2024-40407githubgithub.com/dhammerg/CVE-2024-40405githubgithub.com/jakabakos/CVE-2024-4040-CrushFTP-File-Read-vulnerability4githubgithub.com/entroychang/CVE-2024-40403githubgithub.com/rahisec/CVE-2024-40400githubgithub.com/ill-deed/CrushFTP-CVE-2024-4040-illdeed0githubgithub.com/juanorts/CrushFTP10-Docker-CVE-2024-40400githubgithub.com/Sidjaz/CrushFTP-CVE-2024-4040-Proof-of-Concept0githubgithub.com/cthhhhhh/CrushFTP-SSTI-LFI-Proof-of-Concept0githubgithub.com/Mufti22/CVE-2024-40400githubgithub.com/0xN7y/CVE-2024-40400githubgithub.com/Praison001/CVE-2024-4040-CrushFTP-server0githubgithub.com/1ncendium/CVE-2024-40400githubgithub.com/olebris/CVE-2024-40400githubgithub.com/safeer-accuknox/CrushFTP-cve-2024-4040-poc0
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/airbus-cert/CVE-2024-4040https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4040https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Updatehttps://www.crushftp.com/crush11wiki/Wiki.jsp?page=Updatehttps://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/https://www.reddit.com/r/cybersecurity/comments/1c850i2/all_versions_of_crush_ftp_are_vulnerable/