A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.
The error results from improper server-side template handling (CWE-1336, CWE-94), allowing an attacker to inject malicious code into the template engine without requiring any credentials. Exploitation of the vulnerability enables bypassing the virtual file system sandbox (VFS Sandbox) and accessing operating system resources. Consequently, an attacker can escalate the attack to complete server takeover by executing arbitrary system commands (RCE).
An attacker can obtain unauthorized administrative access, read arbitrary files from the file system outside the VFS Sandbox, and execute remote code on the server (RCE), leading to complete system takeover.
CrushFTP must be immediately updated to version 10.7.1 or newer (in the 10.x branch) or to version 11.1.0 or newer (in the 11.x branch). Update instructions are available in the official manufacturer's wiki at the addresses provided in the references.
CrushFTP in all versions before 10.7.1 and before 11.1.0 on all platforms
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCrushftp
APPCrushftp10.0.0 – 10.7.1 (bez)11.0.0 – 11.1.0 (bez)
CISA KEV — detailsi
- Vendori
- CrushFTP
- Producti
- CrushFTP
- Added to KEVi
- April 24, 2024
- Remediation deadline (US Federal)i
- May 1, 2024(overdue)
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CrushFTP contains an unspecified sandbox escape vulnerability that allows a remote attacker to escape the CrushFTP virtual file system (VFS).
Related vulnerabilities
CrushFTP – błąd walidacji AS2 umożliwia zdalny dostęp administracyjny
CrushFTP – pominięcie uwierzytelnienia i przejęcie konta administratora
CrushFTP: Przejęcie konta przez błąd w resetowaniu hasła
CrushFTP – krytyczna podatność na manipulację atrybutami obiektów (przed wersją 10.5.1)
CrushFTP 8.x before 8.2.0 has a serialization vulnerability.