Exploit for CrushFTP RCE chain released, patch now
18-Nov-23
A proof-of-concept exploit for a critical remote code execution vulnerability in the CrushFTP enterprise suite was made available to the public. This exploit gave unauthenticated attackers access to the server’s files, allowed them to run code, and revealed the passwords in plain form. Converge security researchers found the vulnerability in August 2023 and responsibly reported it to the vendor. It is tagged as CVE-2023-43177. Overnight, CrushFTP 10.5.2 was updated by the developers with a fix.
The CVE-2023-43177 vulnerability has a proof-of-concept exploit revealed today by Converge, thus users of CrushFTP must install the security upgrades as soon as possible. Through the use of an unauthenticated mass-assignment vulnerability and AS2 header parsing, the CrushFTP exploit manipulates user session properties.
