CrushFTP on Friday released patches for a zero-day vulnerability in the file transfer server, warning customers of its in-the-wild exploitation.
Impacting CrushFTP versions 9, 10, and 11, the security defect allows an unauthenticated attacker to escape their virtual file system (VFS) and retrieve system files, potentially opening the door to further exploitation.
In its advisory, CrushFTP points out that customers using a DMZ server, which filters protocols and connections, are protected against attacks.
Patches were included in CrushFTP versions 10.71 and 11.1.0. Customers still using CrushFTP version 9 should upgrade to a patched release.
In a Friday notice to customers that was shared on Reddit, CrushFTP underlined that it was aware of in-the-wild exploitation, urging customers to apply the available patches immediately.
“Please take immediate action to patch ASAP. A vulnerability was reported today (April 19, 2024), and we patched it immediately. v10 version 10.71 is patched. v11 version 11.1.0 is patched. This vulnerability exists in the wild,” the vendor told customers.
CrushFTP has credited Simon Garrelou of Airbus CERT for discovering and reporting the vulnerability, but has not shared specific details on the observed attacks.
On Friday, cybersecurity firm CrowdStrike noted in a Reddit post that the vulnerability had been exploited in the wild in a targeted fashion, mainly against US entities.
CrowdStrike said the observed attacks were likely focused on intelligence gathering or might have been politically motivated, but did not share further details.
A proprietary multi-protocol file transfer server available for Windows, macOS, and Linux, CrushFTP has been around since 1999 and is available as shareware, with a tiered pricing model.
Responding to a SecurityWeek inquiry, CrushFTP said that it has not received customer reports regarding successful exploits and that no security firm, other than Airbus CERT, has contacted it with information on potential attacks.
“Airbus CERT reported they had observed it in the wild, so we believe them, as they reported the vulnerability to us,” CrushFTP said.
“We are hopeful customers will get updated before it becomes actively used in the wild. We are assisting customers in updating as fast as we can currently. Updating is simple, and customers should already be in practice of doing regular updates,” CrushFTP also said.
While it could not confirm how many customers have updated to a patched release yet, CrushFTP said that interest in the issue has spiked, which should result in customers staying vigilant about updating.
*updated with information from CrushFTP
Related: PoC Code Published for Just-Disclosed Fortra GoAnywhere Vulnerability
Related: SEC Investigating Progress Software Over MOVEit Hack
Related: Accellion to Retire File Transfer Service Targeted in Attacks