NEWS Hackers Get In Without Logging In: CrushFTP v11 Open to Attacks

ExcalibuR

ExcalibuR

Legend
LEGEND
PREMIUM
MEMBER
Joined
Jan 17, 2025
Messages
4,031
Reaction score
7,797
Deposit
11,800$
An error exposes secrets from over 3,400 servers across the network.
1743068650738.png
CrushFTP has notified its users of a critical vulnerability in its file transfer system that allows attackers to gain unauthenticated access to a server via open HTTP(S) ports. The vulnerability affects servers accessible from the Internet and requires immediate updating.


According to a letter sent to clients on March 21, 2025, the vulnerability was discovered in all versions of CrushFTP v11. The letter stated that earlier versions were not affected. However, a security recommendation published on the same day contradicts this assertion, indicating that the vulnerability is also present in version v10. The issue was first reported by Rapid7, which raised further concerns among clients.


The core problem is that if an HTTP(S) port is left open, a hacker can gain access to the server without undergoing any authentication process. The solution is either to update to CrushFTP version v11.3.1 or higher, or to activate the DMZ feature, which places the server in a demilitarized zone, thereby reducing the risk of exploitation.


The company emphasized that clients should install the update immediately. For those unable to update right away, it is recommended to enable the DMZ functionality as a temporary protective measure until a patch is released. CrushFTP has promised to register the vulnerability in the CVE database soon, which will allow its status and spread to be officially tracked.

1743068674121.png
CrushFTP Instances Accessible via the Internet (Shodan)


According to Shodan, more than 3,400 CrushFTP servers currently have publicly accessible web interfaces, making them potential targets. It is unclear how many of these have already been updated.


This is not the first time CrushFTP has encountered serious security issues. In April 2024, the company had already addressed a zero-day vulnerability (CVE-2024-4040) that was actively exploited by attackers. At that time, the attacks aimed to bypass the isolated file system and upload system files, and were linked to politically motivated espionage activity targeting American organizations.
 
You must log in or register to reply here.

Similar threads

abadon1969
Video Tutorial One Click & Hackers Get In! (NAT Pinning Explained)
Replies
0
Views
98
abadon1969
abadon1969
abadon1969
Video Tutorial How Hackers Find Hidden Data in Website Headers (cURL & Burp Suite)) picoCTF - GET aHead
Replies
6
Views
374
Darkmatterling
D
pinkman
NEWS Hackers, get ready. The "Good Corporation" is taking away your favorite "toys."
Replies
0
Views
346
pinkman
pinkman
pinkman
NEWS An old router + a forgotten password = a perpetual botnet. Your home device has become the perfect target for hackers.
Replies
0
Views
349
pinkman
pinkman
rottingcastle
NEWS Press the number 3 to get robbed. Your super reliable two-factor is no longer a barrier for hackers
Replies
0
Views
511
rottingcastle
rottingcastle
Top Bottom