CrushFTP urges customers to patch file transfer tool ‘ASAP’

A vulnerability in popular file transfer tool CrushFTP is already being exploited in attacks, the company said Monday. 

Last week, the company released both public and private notices to customers about a vulnerability affecting a version of their file transfer tool, which was first disclosed on April 19.

The vulnerability was discovered by Airbus CERT’s Simon Garrelou and was given the tag CVE-2024-4040 on Monday afternoon. The latest version of the tool has a patch fixing the bug. 

A CrushFTP official told Recorded Future News that they do not yet know of any customers affected but that compromise is likely. 

“I am sure there have been, and they just are slow to apply updates and don't realize yet,” they said.

“We have seen a customer who was already patched who was probed for the vulnerability. Had they not been updated, important config info would have been stolen. We can't stress enough that customers need to update ASAP, or block all IPs except known good IPs and operate in a whitelisting mode,” the official said. 

First reported by BleepingComputer, the vulnerability caused alarm because the company’s private notice said a user “could retrieve system files that are not part of their [virtual file system].”

“This could lead to escalation as they learn more, etc,” the company told customers.

Cybersecurity firm CrowdStrike released its own advisory saying their team has “observed this exploit being used in the wild in a targeted fashion.” CrowdStrike noted that “multiple U.S. entities were affected and said “intelligence-gather activity possibly politically motivated.”

CrushFTP said it is difficult for customers to check if they have been exploited due to the type of the vulnerability, as there “is no silver bullet search term to check for” when searching through logs.

File transfer tools are ripe targets for hackers interested in data theft. Two of the biggest security incidents in 2023 revolved around zero-day vulnerabilities in file transfer tools MOVEit and GoAnywhere — exposing thousands of organizations to hackers who stole troves of data on millions of people.