A critical zero-day vulnerability in CrushFTP servers is being actively exploited in targeted attacks, prompting the company to urge customers to patch their systems immediately. The security flaw, fixed in the latest versions of CrushFTP released today, allows attackers to escape the user’s virtual file system and download system files without authentication.
The vulnerability was reported by Simon Garrelou of Airbus CERT and is now patched in CrushFTP versions 10.7.1 and 11.1.0. Customers with servers running older versions of CrushFTP are advised to upgrade to the latest versions or update their instances via the dashboard.
According to cybersecurity company CrowdStrike, the zero-day vulnerability has been observed in targeted attacks on CrushFTP servers at multiple U.S. organizations. Evidence suggests that the attacks are part of an intelligence-gathering campaign, potentially politically motivated.
CrushFTP customers are urged to monitor the vendor’s website for the most up-to-date instructions and to prioritize patching their systems. This latest security issue comes after CrushFTP customers were previously warned to patch a critical remote code execution vulnerability in November.