CVE-2024-4040

What is CrushFTP?

CrushFTP is a cross-platform enterprise file transfer server that provides secure file sharing via SFTP, FTPS, HTTPS, WebDAV, and proprietary protocols. It is deployed by enterprises, government agencies, and managed service providers as a secure managed file transfer (MFT) solution — handling sensitive documents, data transfers between partners, and automated workflows. CrushFTP's virtual file system (VFS) sandboxes user sessions so that authenticated users can only access designated directories; bypassing the VFS grants read access to the underlying server filesystem, including CrushFTP configuration files, admin credentials, and the files of all other users.

Overview

CVE-2024-4040 is a server-side template injection (SSTI) vulnerability in CrushFTP's virtual file system that allows an unauthenticated remote attacker to escape the VFS sandbox and read arbitrary files on the server — including the CrushFTP configuration file containing administrator credentials. It was exploited as a zero-day in an intelligence-gathering campaign against US organizations, with CrushFTP notifying customers via its mailing list on April 19, 2024 — three days before the CVE was formally published. CISA added it to the KEV catalog two days after CVE publication, with a one-week remediation deadline. Crowdstrike attributed the campaign to a threat actor conducting espionage against US government entities.

Affected Versions

Technical Details

CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine / Server-Side Template Injection). CrushFTP's web interface uses a templating engine to generate dynamic content. User-supplied input reaches the template engine without adequate sanitization, allowing an attacker to inject template syntax that is evaluated server-side. The specific injection escapes the VFS boundary — the security layer that restricts file access to user-designated directories — allowing the attacker to traverse the full server filesystem.

The most immediately exploitable consequence: an attacker can read the CrushFTP configuration file (CrushFTP.xml or equivalent), which contains:

• Hashed (or in some configurations, cleartext) administrator passwords
• SMTP/email account credentials
• S3 and cloud storage credentials
• SSL certificate private keys

With administrator credentials, an attacker can fully control the CrushFTP instance, access all hosted files, and potentially pivot to connected cloud storage and services.

Discovery

CrushFTP LLC became aware of in-the-wild exploitation on or before April 19, 2024, when it began notifying customers via email and its support mailing list. The zero-day was exploited in targeted attacks before any public disclosure.

Exploitation Context

CrowdStrike Intelligence documented active exploitation in a campaign targeting US organizations, describing the threat actor as conducting reconnaissance and intelligence gathering — profile consistent with nation-state espionage rather than financially motivated intrusion. The short one-week CISA deadline (April 24 to May 1) reflects the urgency of confirmed in-progress exploitation against government entities. Because CrushFTP is often internet-accessible by design (serving as an external file exchange platform), the attack surface was broad.

Remediation

1. Upgrade to CrushFTP 11.1.0 (11.x branch) or 10.7.1 (10.x branch) immediately.
2. If immediate patching is not possible, enable CrushFTP's DMZ proxy feature to isolate the public-facing interface from the core server as a temporary compensating control.
3. After patching, rotate all credentials stored in the CrushFTP configuration: admin passwords, SMTP credentials, cloud storage keys, and any API tokens.
4. Review CrushFTP access logs for unexpected file read operations, especially to configuration file paths, prior to patching.
5. Rotate SSL certificate private keys if they were accessible on the server filesystem at the time of vulnerability exposure.