Ethical Hacking News
CrushFTP has issued a critical security warning to its customers due to an unauthenticated HTTP(S) port access vulnerability that can be exploited by attackers. The company urges users to patch their servers immediately to prevent unauthorized access and data breaches.
CrushFTP has issued a critical security warning for an unauthenticated HTTP(S) port access vulnerability in its v11 version.The vulnerability allows attackers to gain unauthorized access to unpatched servers if exposed on the Internet over HTTP(S).Enabling the DMZ feature can mitigate the vulnerability, but it's not a foolproof solution.Rapid7 has reported that both CrushFTP v10 and v11 are impacted by this vulnerability.Over 3,400 CrushFTP instances have been found with their web interface exposed online to attacks on Shodan.The incident highlights the importance of timely patching and maintaining strong security measures.
CrushFTP, a popular file transfer product (FTP), has issued a critical security warning to its customers, urging them to patch an unauthenticated HTTP(S) port access vulnerability immediately. The company's email, dated March 21st, 2025, states that the vulnerability was addressed on the same day and affects all CrushFTP v11 versions.
The unauthenticated HTTP(S) port access vulnerability allows attackers to gain unauthorized access to unpatched servers if they are exposed on the Internet over HTTP(S). This means that any server running CrushFTP v11 with an open HTTP(S) port is vulnerable to attacks, regardless of whether it has been patched or not. The company warns that this vulnerability can lead to a breach of sensitive data and unauthorized access to critical systems.
The email from CrushFTP explains that the vulnerability is mitigated if the DMZ (demilitarized zone) feature is enabled. The DMZ perimeter network option can protect the CrushFTP instance until security updates can be deployed. However, this is not a foolproof solution, as attackers may still find ways to bypass the DMZ.
The vulnerability has been reported by cybersecurity company Rapid7, which also notes that both CrushFTP v10 and v11 are impacted. Shodan, a search engine for internet-exposed devices, reports over 3,400 CrushFTP instances with their web interface exposed online to attacks.
This is not the first time CrushFTP has issued a security warning. In April 2024, the company released security updates to patch an actively exploited zero-day vulnerability (CVE-2024-4040) that allowed unauthenticated attackers to escape the user's virtual file system (VFS) and download system files. The vulnerability was linked to an intelligence-gathering campaign, likely politically motivated, with attackers targeting CrushFTP servers at multiple U.S. organizations.
In November 2023, CrushFTP customers were also warned to patch a critical remote code execution vulnerability (CVE-2023-43177) in the company's enterprise suite after Converge security researchers reported the flaw and released a proof-of-concept exploit three months after the vulnerability was addressed.
The incident highlights the importance of timely patching and maintaining strong security measures. File transfer products like CrushFTP are attractive targets for ransomware gangs, specifically Clop, which has been linked to data theft attacks targeting zero-day vulnerabilities in MOVEit Transfer, GoAnywhere MFT, Accelion FTA, and Cleo software.
The vulnerability also underscores the need for organizations to regularly review their security posture and ensure that all software, including file transfer products, is up-to-date with the latest security patches. This includes monitoring internet-exposed devices and services, such as CrushFTP instances, and taking prompt action when vulnerabilities are detected.
In conclusion, the unauthenticated HTTP(S) port access vulnerability in CrushFTP highlights the importance of timely patching, robust security measures, and regular vulnerability testing. Organizations must take immediate action to patch their servers and ensure that all software is up-to-date with the latest security patches to prevent similar attacks in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/CrushFTP-Security-Alert-Unauthenticated-Access-Flaw-Exposed-to-Global-Attackers-ehn.shtml
https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-unauthenticated-access-flaw-immediately/
https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/
https://nvd.nist.gov/vuln/detail/CVE-2024-4040
https://www.cvedetails.com/cve/CVE-2024-4040/
https://nvd.nist.gov/vuln/detail/CVE-2023-43177
https://www.cvedetails.com/cve/CVE-2023-43177/
Published: Tue Mar 25 16:54:26 2025 by llama3.2 3B Q4_K_M
