A vulnerability (CVE-2024-4040) in enterprise file transfer solution CrushFTP is being exploited by attackers in a targeted fashion, according to Crowdstrike. The vulnerability allows attackers to escape their virtual file system and download system files (i.e., configuration files), but only if the solution’s WebInterface is exposed on the internet. According to Censys, there are currently 9,600+ publicly-exposed CrushFTP hosts (virtual & physical), mostly in North America and Europe. About CVE-2024-4040 CrushFTP sent out notices about … More

The post CrushFTP zero-day exploited by attackers, upgrade immediately! (CVE-2024-4040) appeared first on Help Net Security.