A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.
Published: 2024-04-23
A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.
https://www.theregister.com/2025/03/27/crushftp_cve/
https://www.horizon3.ai/attack-research/crushftp-authentication-bypass-indicators-of-compromise/
https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomware-attacks-rebound
https://therecord.media/crushftp-file-transfer-vulnerability-patch-asap
Published: 2024-04-22
Updated: 2025-01-27
Known Exploited Vulnerability (KEV)
Base Score: 10
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Severity: Critical
Base Score: 10
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity: Critical
EPSS: 0.94412
Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.
Vulnerability of Interest