CrushFTP Prior to 10.5.1 Vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes
CVE-2023-43177

9.8CRITICAL

Key Information:

Vendor: Crushftp
Status: Crushftp
Vendor: CVE Published:; 18 November 2023

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 70%

Summary

CrushFTP, a file transfer server software, contains a vulnerability affecting versions prior to 10.5.1, which stems from improperly controlled modification of dynamically-determined object attributes. This flaw could lead to unauthorized changes and potentially compromise the integrity of the application. Users and administrators should be aware of this vulnerability and take appropriate measures, such as upgrading to the latest version, to safeguard their systems.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

Metasploit exploit module for CVE-2023-43177
Created by Rapid7

CVE-2023-43177
Created by the-emmons

References

https://github.com/the-emmons/CVE-Disclosures/blob/main/P...

https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2...

EPSS Score

70% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Dec 27, 2023
👾
Exploit known to exist
Dec 27, 2023
Vulnerability published
Nov 18, 2023
Vulnerability Reserved
Sep 18, 2023