CrushFTP quickly patches zero-day vulnerability

CrushFTP is warning users of its file transfer software to update to the latest version as soon as possible amid the discovery of a zero-day vulnerability being actively exploited by unknown threat actors.

The vulnerability, which is yet to be assigned a CVE designation, could enable an unauthenticated threat actor to escape the WebInterface’s virtual file system and download potentially sensitive system files. This could lead to the compromise of confidential data and enable future attacks using the stolen files.

CrushFTP notes that users who have deployed a DMZ (demilitarized zone) perimeter network in front of their main CrushFTP instance are protected against attacks, however, they should still update to the latest version.

Source: Bleeping Computer

Analysis

According to the Shadowserver Foundation, approximately 3,000 instances of CrushFTP are exposed to the internet, however, it’s unknown how many of these deployments are impacted by the zero day.

Image 1: Internet-exposed CrushFTP servers (Source: Shadowserver Foundation)

The exploitation of vulnerabilities in secure file transfer and storage applications like CrushFTP has been extremely common over the last year. This is likely due to the nature of the data the applications are designed to secure and the long list of prominent organizations using them. For example, in May 2023, a critical zero-day vulnerability allowed unauthenticated threat actors to gain remote access to thousands of MOVEit Transfer databases belonging to prominent governments such as Canada and the US and organizations like Shell and British Airlines.

In addition to exfiltrating sensitive information, some threat actors like Cl0p took the opportunity to deploy ransomware on compromised MOVEit services, causing victims additional headaches.

Mitigation

Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software such as CrushFTP. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities.

Covalence users will be automatically notified if a vulnerable version of CrushFTP is detected in their environment, and are encouraged to review these AROs in the Covalence Portal as quickly as possible.

Field Effect strongly encourages all users of CrushFTP to update to the latest version as soon as possible in accordance with CrushFTP’s advisory.

Field Effect also encourages all organizations using a secure data transfer/storage service to ensure proper mitigations are in place to detect unauthorized access, misconfigurations, and data theft before a vulnerability is officially announced.

Related Articles

• Patch CrushFTP servers to flatten risk of exploit
• MOVEit Transfer zero-day vulnerability: A golden opportunity for threat actors
• Reichsadler Cybercrime Group unsuccessfully targets unpatched WS-FTP server with ransomware