CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-53552

CVSS 9.8v3.1pub. 2024-12-10upd. 2025-06-27

CrushFTP 10 before 10.8.3 and 11 before 11.2.3 mishandles password reset, leading to account takeover.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-640 (Weak Password Recovery Mechanism for Forgotten Password) involves improper handling of the password reset process. An attacker can exploit the flawed reset mechanism without needing any privileges or user interaction, conducting the attack remotely over the network. As a result, it is possible to take full control of a selected account.

Impact

An attacker can take over any user account in the CrushFTP system, gaining unauthorized access to stored data and FTP server functions. In the case of administrative account takeover, the consequences may include complete system compromise.

Mitigation & patch

CrushFTP must be updated immediately to version 10.8.3 or newer (for the 10 branch) or to version 11.2.3 or newer (for the 11 branch). Details are available in the vendor documentation at: https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update

Who is affected

CrushFTP version 10 before 10.8.3 and CrushFTP version 11 before 11.2.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Crushftp

    APP
    Crushftp
    10.0.0 – 10.8.3 (bez)11.0.0 – 11.2.3 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2025-54309CRITICAL9.0⚠ KEVPL ✓ten sam produkt

CrushFTP – błąd walidacji AS2 umożliwia zdalny dostęp administracyjny

CVE-2025-31161CRITICAL9.8⚠ KEVPL ✓ten sam produkt

CrushFTP – pominięcie uwierzytelnienia i przejęcie konta administratora

CVE-2024-4040CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Server Side Template Injection w CrushFTP — RCE bez uwierzytelnienia

CVE-2023-43177CRITICAL9.8PL ✓ten sam produkt

CrushFTP – krytyczna podatność na manipulację atrybutami obiektów (przed wersją 10.5.1)

CVE-2017-14035CRITICAL9.8ten sam produkt

CrushFTP 8.x before 8.2.0 has a serialization vulnerability.