5000+ CrushFTP Servers Hacked Using Zero Day Exploit

A critical zero-day vulnerability (CVE-2024-4040) has been identified in CrushFTP versions prior to 10.7.1 and 11.1.0, which allows unauthenticated attackers to remotely escape a user’s VFS sandbox via the WebInterface port through exploitation, the attackers can gain administrative access and execute arbitrary code on the server. 

Upgrading to a patched version (10.7.1 or 11.1.0) is crucial to mitigate this vulnerability, even for servers located within a DMZ and security researchers are actively tracking vulnerable CrushFTP instances and infrastructure attempting to exploit this vulnerability. 

SPQL, a custom free-form query language, is used to categorize data continuously scanned from the clearnet and darkweb, which is then made available to customers for locating web content and associated infrastructure potentially vulnerable to CVE-2024-4040

Silent Push CrushFTP Bulk Data Feeds

Using publicly available information about CVE-2024-4040, a CrushFTP server-side template injection vulnerability, an exploit query was run to find vulnerable web interfaces on the Internet. 

Enterprise customers can use the two distinct bulk data feeds created by grouping the results by domain and IP address for security purposes to identify and examine infrastructure vulnerable to this crucial CrushFTP vulnerability.

A program called SPQL can look at domain name system (DNS) datasets that are divided into more than 90 groups. This tool is used to see how vulnerable CrushFTP interfaces are spreading around the world.

The visualization takes the form of a map that pinpoints the geographic distribution of these susceptible servers, potentially aiding potential targets and the security community in understanding the scope of the issue. 

Global distribution of CrushFTP web interfaces

The analysis by SilentPush of impacted servers reveals a geographic concentration in North America and Europe, with the majority located in the United States, Canada, and continental Europe, while the remaining servers are dispersed relatively evenly across South America, Russia, Asia, and Australia. 

The distribution pattern suggests a potential correlation between server location and the vulnerability that is being exploited, as further investigation is required to pinpoint the specific cause and determine any mitigating actions.

Enterprise users can use the Bulk Data Feeds API endpoint to retrieve a list of vulnerable CrushFTP instances (domains and IPs), which can be utilized for internal security by identifying vulnerable systems within the organization’s infrastructure. 

Security teams can also integrate this information with existing scoring systems to assess the external attack surface and prioritize risk based on vulnerable CrushFTP deployments. 

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Co-Founder & Editor-in-Chief - Cyber Press Inc.,

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here