"Over 1,400 CrushFTP Instances Vulnerable to Exploited Zero-Day"
According to the Shadowserver Foundation, over 1,400 CrushFTP Managed File Transfer (MFT) software instances are vulnerable to a zero-day. The Server-Side Template Injection (SSTI) bug, tracked as CVE-2024-4040 with a CVSS score of 9.8, enables remote attackers to escape the Virtual File System (VFS) sandbox, gain administrative privileges, and execute arbitrary code. This article continues to discuss the vulnerability of more than 1,400 CrushFTP servers to an actively exploited zero-day for which Proof-of-Concept (PoC) code has been published.
SecurityWeek reports "Over 1,400 CrushFTP Instances Vulnerable to Exploited Zero-Day"
Submitted by grigby1
Submitted by Gregory Rigby
on