Remote File Read Vulnerability in VFS Sandbox
CVE-2024-4040

9.8CRITICAL

Key Information:

Vendor: Crushftp
Status: Crushftp
Vendor: CVE Published:; 22 April 2024

Badges

📈 Trended📈 Score: 12,100💰 Ransomware👾 Exploit Exists🟡 Public PoC🟣 EPSS 94%🦅 CISA Reported📰 News Worthy

What is CVE-2024-4040?

CVE-2024-4040 is a remote file read vulnerability discovered in the VFS Sandbox of CrushFTP, a file transfer server application used for secure file sharing and management. This vulnerability affects all versions of CrushFTP prior to 10.7.1 and 11.1.0 across all platforms. It allows unauthenticated remote attackers to bypass authentication mechanisms, read sensitive files from the server's filesystem, and potentially execute arbitrary code on the server. The implications of this vulnerability are significant, as it could lead to unauthorized access to sensitive data and complete server compromise, posing a serious risk to affected organizations.

Technical Details

CVE-2024-4040 is characterized as a server-side template injection vulnerability that arises when user inputs are improperly validated, enabling attackers to manipulate template processing. This flaw permits attackers to breach the security of the VFS Sandbox intended to contain file access. Consequently, this vulnerability allows them to read files outside of the restricted environment, leading to potential exposure of sensitive information. Furthermore, exploitation of this vulnerability can allow attackers to gain administrative privileges and execute remote code, which could facilitate ongoing access to the compromised server.

Impact of the Vulnerability

Unauthorized File Access: Attackers can exploit this vulnerability to access confidential files stored on the server, leading to data leaks that may include sensitive user information or proprietary company data.
Administrative Privilege Escalation: By bypassing authentication processes, attackers can gain administrative access to the CrushFTP server, allowing them to manipulate system settings and configurations, which may further facilitate their malicious activities.
Remote Code Execution: The vulnerability opens the door for remote code execution, enabling attackers to deploy malware on the server, potentially leading to the installation of backdoors, data destruction, or even serving as a launchpad for attacks on other systems within the network.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

CrushFTP 10.0

CrushFTP 10.0 < 10.7.1

CrushFTP 11.0 < 11.1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-4040 - Proof of Concept

CVE-2024-4040-SSTI-LFI
Created by Stuub

News Articles

BleepingComputer

CVE-2025-2825 CVE-2024-4040

Critical auth bypass bug in CrushFTP now exploited in attacks

Attackers are now targeting a critical authentication bypass vulnerability in the CrushFTP file transfer software using exploits based on publicly available proof-of-concept code.

3 days ago