#VU88869 External Control of File Name or Path in CrushFTP - CVE-2024-4040

Cybersecurity Help s.r.o.

Published: 2024-04-22 | Updated: 2025-03-21

Vulnerability identifier: #VU88869

Vulnerability risk: High

CVSSv4.0: 7.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2024-4040

CWE-ID: CWE-73

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
CrushFTP
Server applications / File servers (FTP/HTTP)

Vendor: CrushFTP

Description

The vulnerability allows a remote user to delete arbitrary files.

The vulnerability exists due to application allows to access files outside of the virtual file system. A remote authenticated user can read arbitrary system files.

Note, the vulnerability is being exploited in the wild.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

CrushFTP: before 11.1.0

External links
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
https://old.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/
https://crushftp.com/version11_build.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

Latest bulletins with this vulnerability

Arbitrary file download in CrushFTP