Remote File Read Vulnerability in VFS Sandbox
CVE-2024-4040
Key Information
- Vendor
- Crushftp
- Status
- Crushftp
- Vendor
- CVE Published:
- 22 April 2024
Badges
What is CVE-2024-4040?
CVE-2024-4040 is a remote file read vulnerability discovered in the VFS Sandbox of CrushFTP, a file transfer server application used for secure file sharing and management. This vulnerability affects all versions of CrushFTP prior to 10.7.1 and 11.1.0 across all platforms. It allows unauthenticated remote attackers to bypass authentication mechanisms, read sensitive files from the server's filesystem, and potentially execute arbitrary code on the server. The implications of this vulnerability are significant, as it could lead to unauthorized access to sensitive data and complete server compromise, posing a serious risk to affected organizations.
Technical Details
CVE-2024-4040 is characterized as a server-side template injection vulnerability that arises when user inputs are improperly validated, enabling attackers to manipulate template processing. This flaw permits attackers to breach the security of the VFS Sandbox intended to contain file access. Consequently, this vulnerability allows them to read files outside of the restricted environment, leading to potential exposure of sensitive information. Furthermore, exploitation of this vulnerability can allow attackers to gain administrative privileges and execute remote code, which could facilitate ongoing access to the compromised server.
Impact of the Vulnerability
-
Unauthorized File Access: Attackers can exploit this vulnerability to access confidential files stored on the server, leading to data leaks that may include sensitive user information or proprietary company data.
-
Administrative Privilege Escalation: By bypassing authentication processes, attackers can gain administrative access to the CrushFTP server, allowing them to manipulate system settings and configurations, which may further facilitate their malicious activities.
-
Remote Code Execution: The vulnerability opens the door for remote code execution, enabling attackers to deploy malware on the server, potentially leading to the installation of backdoors, data destruction, or even serving as a launchpad for attacks on other systems within the network.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2024-4040 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
CrushFTP <= 10.0
CrushFTP < 10.7.1
CrushFTP < 11.1.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
CVE-2024-4040 Detection: A Critical CrushFTP Zero-Day Vulnerability Exploited in the Wild Targeting U.S. Organizations - SOC Prime
Detect CVE-2024-4040 exploitation attempts, a new critical CrushFTP zero-day vulnerability, with a novel Sigma rule from SOC Prime Platform.
8 months ago
CrushFTP Zero-Day Exploitation Due to CVE-2024-4040 | Qualys Security Blog
CrushFTP disclosed a zero-day vulnerability in their software on April 19, 2024. The vulnerability is published on CVE-2024-4040. Affected versions: The CVSS…
8 months ago
+1,400 CrushFTP servers vulnerable to CVE-2024-4040
Over 1,400 CrushFTP internet-facing servers are vulnerable to attacks exploiting recently disclosed CVE-2024-4040 vulnerability.
8 months ago
Refferences
EPSS Score
96% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🔴
Public PoC available
Vulnerability started trending
CISA Reported
- 👾
Exploit known to exist
First article discovered by Tenable
Vulnerability Reserved
Vulnerability published