Remote File Read Vulnerability in VFS Sandbox

CVE-2024-4040

10CRITICAL

Key Information

Vendor: Crushftp
Status: Crushftp
Vendor: CVE Published:; 22 April 2024

Badges

😄 Trended👾 Exploit Exists🔴 Public PoC🟣 EPSS 96%📰 News Worthy

What is CVE-2024-4040?

CVE-2024-4040 is a remote file read vulnerability discovered in the VFS Sandbox of CrushFTP, a file transfer server application used for secure file sharing and management. This vulnerability affects all versions of CrushFTP prior to 10.7.1 and 11.1.0 across all platforms. It allows unauthenticated remote attackers to bypass authentication mechanisms, read sensitive files from the server's filesystem, and potentially execute arbitrary code on the server. The implications of this vulnerability are significant, as it could lead to unauthorized access to sensitive data and complete server compromise, posing a serious risk to affected organizations.

Technical Details

CVE-2024-4040 is characterized as a server-side template injection vulnerability that arises when user inputs are improperly validated, enabling attackers to manipulate template processing. This flaw permits attackers to breach the security of the VFS Sandbox intended to contain file access. Consequently, this vulnerability allows them to read files outside of the restricted environment, leading to potential exposure of sensitive information. Furthermore, exploitation of this vulnerability can allow attackers to gain administrative privileges and execute remote code, which could facilitate ongoing access to the compromised server.

Impact of the Vulnerability

Unauthorized File Access: Attackers can exploit this vulnerability to access confidential files stored on the server, leading to data leaks that may include sensitive user information or proprietary company data.
Administrative Privilege Escalation: By bypassing authentication processes, attackers can gain administrative access to the CrushFTP server, allowing them to manipulate system settings and configurations, which may further facilitate their malicious activities.
Remote Code Execution: The vulnerability opens the door for remote code execution, enabling attackers to deploy malware on the server, potentially leading to the installation of backdoors, data destruction, or even serving as a launchpad for attacks on other systems within the network.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2024-4040 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

CrushFTP <= 10.0

CrushFTP < 10.7.1

CrushFTP < 11.1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-4040-SSTI-LFI
Created by Stuub

CVE-2024-4040
Created by airbus-cert

CVE-2024-4040
Created by gotr00t0day

News Articles

SOC Prime

CVE-2024-4040

CVE-2024-4040 Detection: A Critical CrushFTP Zero-Day Vulnerability Exploited in the Wild Targeting U.S. Organizations - SOC Prime

Detect CVE-2024-4040 exploitation attempts, a new critical CrushFTP zero-day vulnerability, with a novel Sigma rule from SOC Prime Platform.

8 months ago

Qualys Security Blog

CVE-2024-4040

CrushFTP Zero-Day Exploitation Due to CVE-2024-4040 | Qualys Security Blog

CrushFTP disclosed a zero-day vulnerability in their software on April 19, 2024. The vulnerability is published on CVE-2024-4040. Affected versions: The CVSS…

8 months ago