CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2024-4040

CVSS 9.8v3.1pub. 2024-04-22upd. 2026-02-26

A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.

🤖 AI Analysis
How it works

The error results from improper server-side template handling (CWE-1336, CWE-94), allowing an attacker to inject malicious code into the template engine without requiring any credentials. Exploitation of the vulnerability enables bypassing the virtual file system sandbox (VFS Sandbox) and accessing operating system resources. Consequently, an attacker can escalate the attack to complete server takeover by executing arbitrary system commands (RCE).

Impact

An attacker can obtain unauthorized administrative access, read arbitrary files from the file system outside the VFS Sandbox, and execute remote code on the server (RCE), leading to complete system takeover.

Mitigation & patch

CrushFTP must be immediately updated to version 10.7.1 or newer (in the 10.x branch) or to version 11.1.0 or newer (in the 11.x branch). Update instructions are available in the official manufacturer's wiki at the addresses provided in the references.

Who is affected

CrushFTP in all versions before 10.7.1 and before 11.1.0 on all platforms

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Crushftp

    APP
    Crushftp
    10.0.0 – 10.7.1 (bez)11.0.0 – 11.1.0 (bez)

CISA KEV — detailsi

Vendori
CrushFTP
Producti
CrushFTP
Added to KEVi
April 24, 2024
Remediation deadline (US Federal)i
May 1, 2024(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

CrushFTP contains an unspecified sandbox escape vulnerability that allows a remote attacker to escape the CrushFTP virtual file system (VFS).

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 1 maja 2024
Tags
RCEAuth Bypass
CWE
References

Related vulnerabilities

CVE-2025-54309CRITICAL9.0⚠ KEVPL ✓ten sam produkt

CrushFTP – błąd walidacji AS2 umożliwia zdalny dostęp administracyjny

CVE-2025-31161CRITICAL9.8⚠ KEVPL ✓ten sam produkt

CrushFTP – pominięcie uwierzytelnienia i przejęcie konta administratora

CVE-2024-53552CRITICAL9.8PL ✓ten sam produkt

CrushFTP: Przejęcie konta przez błąd w resetowaniu hasła

CVE-2023-43177CRITICAL9.8PL ✓ten sam produkt

CrushFTP – krytyczna podatność na manipulację atrybutami obiektów (przed wersją 10.5.1)

CVE-2017-14035CRITICAL9.8ten sam produkt

CrushFTP 8.x before 8.2.0 has a serialization vulnerability.