CrushFTP Critical Vulnerability (CVE-2024-4040)

A vulnerability has been discovered in CrushFTP, a popular piece of software used for file sharing using secure protocols. The zero-day vulnerability (CVE-2024-4040), is rated by NIST [nist.gov] as a CVSSv3 10.0 and could allow an attacker to escape the virtual file system (VFS) and download system files.

From the CrushFTP website [crushftp.com]:

"CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files. This has been patched in v11.1.0. Customers using a DMZ in front of their main CrushFTP instance are partially protected with its protocol translation system it utilizes. A DMZ however does not fully protect you and you must update immediately."

Versions 11.1.0 and 10.7.1 both include the fix for this vulnerability. Those running affected versions of CrushFTP should consider upgrading immediately to prevent exploitation.