A critical zero-day vulnerability has been discovered in CrushFTP’s file transfer software, affecting versions v11 to 11.1 [5].


Security researcher Simon Garrelou from Airbus CERT identified this flaw, which allows users to escape the Virtual File System (VFS) and download system files [1] [3]. The vulnerability has been actively exploited in targeted attacks. CrushFTP has notified users of this vulnerability impacting their FTP software [4], urging them to update to version 11.1.0 to mitigate the risk. CrowdStrike’s Falcon OverWatch and Falcon Intelligence have confirmed the flaw and recommended the update. The vulnerability affects systems running CrushFTP and supports file transfers through various protocols. Users with a demilitarized zone (DMZ) perimeter network in front of their CrushFTP instance are protected from these attacks [6]. Organizations in demilitarized zones may be shielded [5], but others should install the update promptly [5]. Customers using CrushFTP v11 versions below 11.1 are at risk of users escaping their VFS and downloading system files [2]. CrushFTP responded quickly with updates for v10 and v11 versions [5], while v9 users can receive updates through extended support [5]. CrowdStrike reports politically motivated attacks against American organizations exploiting this flaw [5].


The impact of this vulnerability is significant, with targeted attacks exploiting the flaw. Organizations are urged to update their CrushFTP software to version 11.1.0 to mitigate the risk. Future implications include the need for heightened security measures to protect against similar vulnerabilities in file transfer software.


[1] https://digital.nhs.uk/cyber-alerts/2024/cc-4482
[2] https://www.scmagazine.com/brief/intrusions-exploiting-critical-crushftp-zero-day-underway
[3] https://cyber.vumetric.com/security-news/2024/04/20/critical-update-crushftp-zero-day-flaw-exploited-in-targeted-attacks/
[4] https://securityaffairs.com/162067/hacking/crushftp-zero-day-exploited.html
[5] https://meterpreter.org/crushftp-zero-day-patched-update-now-v11-1-0/
[6] https://www.infosecurity-magazine.com/news/crushftp-file-transfer/