File transfer company CrushFTP warns of zero-day exploit seen in the wild

The popular file transfer company CrushFTP said it has discovered a previously unknown vulnerability being exploited by hackers.

In an advisory late on Friday, the company’s president Ben Spink said they found a zero-day exploit in the wild, explaining that “hackers apparently reverse engineered our code and found some bug which we had already fixed.” 

“They are exploiting it for anyone who has not stayed current on new versions,” Spink said. “We believe this bug was in builds prior to July 1st time period roughly … The latest versions of CrushFTP already have the issue patched.” 

Researchers at the Shadowserver Foundation said they saw more than 1,000 unpatched instances of the software across the world, including hundreds in the U.S. and Europe. 

CrushFTP provided guidelines for what customers can do if they were exploited. The company saw the bulk of exploits on the morning of July 18 but noted that hackers may have begun abusing the vulnerability a day earlier.

Spink added that some hackers have been manipulating exploited versions of the software to make it look like it is up-to-date when it is not “to give a false sense of security.”

CrushFTP is used by thousands of companies to send and receive important data. File transfer software has been repeatedly targeted by hackers and cybercriminal groups looking to steal sensitive information being transferred by governments, businesses, universities and more. 

The U.S. Cybersecurity and Infrastructure Security Agency warned of another CrushFTP vulnerability being exploited by hackers in April, and just last week they said a vulnerability in products from file transfer company Wing FTP Server is being used in attacks. 

While it is unclear who is carrying out the most recent attacks on CrushFTP, the Clop ransomware gang and its iterations have repeatedly discovered zero-day vulnerabilities in file sharing software and exploited them, causing mass data breach incidents globally. 

Cleo, MOVEit, GoAnywhere and Accellion file transfer companies have all faced campaigns of attacks by cybercriminal organizations over the last five years.