WARNING: CRITICAL CRUSHFTP VULNERABILITY CAN LEAD TO UNAUTHENTICATED REMOTE CODE EXECUTION (RCE), PATCH IMMEDIATELY!
CVE-2023-43177
CVSS 3.x severity and metrics not know at this time
Sources
Risks
In August 2023, security researchers detected and responsibly disclosed a zero-day vulnerability in CrushFTP software version 10.5.1 and lower. Exploitation of said vulnerability (CVE-2023-43177) could lead to unauthenticated remote code execution.
CrushFTP is an enterprise-grade file transfer server that runs on any operating system that can run Java 8.
Adversaries have developed proof of concept exploits. Compromise could have high impact on confidentiality, integrity and availability.
A security patch is available. Although security researchers indicate that the vulnerability has been fixed in CrushFTP version 10.5.2, the company itself warns that all versions prior to 10.5.6 are vulnerable and advises to update immediately.
Description
Using the capabilities offered by the vulnerability, an attacker can escalate to full system compromise, including root-level remote code execution.
Recommended Actions
The Centre for Cyber Security Belgium (CCB) strongly recommends to upgrade to the latest version of CrushFTP as indicated by the CrushFTP development team.