CrushFTP SSTI (CVE-2024-4040)
Description
CrushFTP versions prior to the patched release contain a critical server-side template injection (SSTI) vulnerability that allows remote attackers to execute malicious code without authentication. Attackers can exploit this flaw to read files outside the configured Virtual File System (VFS) sandbox, bypass authentication mechanisms to obtain administrative privileges, and execute arbitrary commands on the underlying server operating system.
Remediation
Immediately upgrade CrushFTP to the latest patched version that addresses CVE-2024-4040. Follow these steps:
1. Back up your current CrushFTP configuration and data
2. Download the latest version from the official CrushFTP website
3. Follow the official update instructions at https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update
4. Verify the update was successful by checking the version number in the administration panel
5. Review system logs for any suspicious activity or unauthorized access attempts prior to patching
6. If immediate patching is not possible, consider temporarily restricting network access to the CrushFTP service to trusted IP addresses only until the update can be applied