WARNING: CRITICAL CRUSHFTP VULNERABILITY CAN LEAD TO UNAUTHENTICATED REMOTE CODE EXECUTION (RCE), PATCH IMMEDIATELY!

Reference:
Advisory #2023-142

Version:
1.0

Affected software:
CrushFTP prior to 10.5.6

Type:
Unauthenticated mass-assignment vulnerability

CVE/CVSS:
CVE-2023-43177CVSS 3.x severity and metrics not know at this time

Sources

• https://nvd.nist.gov/vuln/detail/CVE-2023-43177
• https://www.crushftp.com/download.html

Risks

In August 2023, security researchers detected and responsibly disclosed a zero-day vulnerability in CrushFTP software version 10.5.1 and lower.  Exploitation of said vulnerability (CVE-2023-43177) could lead to unauthenticated remote code execution.

CrushFTP is an enterprise-grade file transfer server that runs on any operating system that can run Java 8.

Adversaries have developed proof of concept exploits.  Compromise could have high impact on confidentiality, integrity and availability.

A security patch is available.  Although security researchers indicate that the vulnerability has been fixed in CrushFTP version 10.5.2, the company itself warns that all versions prior to 10.5.6 are vulnerable and advises to update immediately.

Description

Using the capabilities offered by the vulnerability, an attacker can escalate to full system compromise, including root-level remote code execution.

Recommended Actions

The Centre for Cyber Security Belgium (CCB) strongly recommends to upgrade to the latest version of CrushFTP as indicated by the CrushFTP development team.

References

• https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/