Detections
Analytics
CVE-2024-4040
critical
Description
A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.
From the Tenable Blog
CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
Published: 2024-04-23
A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.
References
https://www.theregister.com/2025/03/27/crushftp_cve/
https://www.horizon3.ai/attack-research/crushftp-authentication-bypass-indicators-of-compromise/
https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomware-attacks-rebound
https://therecord.media/crushftp-file-transfer-vulnerability-patch-asap
Details
Published: 2024-04-22
Updated: 2025-01-27
Known Exploited Vulnerability (KEV)
Risk Information
CVSS v2
Base Score: 10
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Severity: Critical
CVSS v3
Base Score: 10
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity: Critical
EPSS
EPSS: 0.94412
Vulnerability Watch
Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.
Vulnerability of Interest