What is CVE-2024-4040?

CVE-2024-4040 is a critical-severity vulnerability in Crushftp, classified under Improper Neutralization of Special Elements Used in a Template Engine. CVSS score: 9.8/10. Published 2024-04-22.

How severe is CVE-2024-4040?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Is CVE-2024-4040 known to be exploited?

Yes. CVE-2024-4040 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2024-04-24), indicating it is being actively exploited. 67 public proof-of-concept repositories are indexed.

Vulnerability in Crushftp

CVE-2024-4040

A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authenticatio…

EPSS: 0.944 (100.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Crushftp — versions 10.0, 11.0

Weakness classification (CWE)

CWE-1336 — Improper Neutralization of Special Elements Used in a Template Engine

CISA KEV (Known Exploited Vulnerabilities)

This CVE is on the CISA KEV catalog, added on 2024-04-24. CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.

BOD 22-01 due date: 2024-05-01.

Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Public proof-of-concept exploits

References

www.crushftp.com/crush11wiki/Wiki.jsp (vendor-advisory)
www.crushftp.com/crush10wiki/Wiki.jsp (vendor-advisory)
www.reddit.com/r/cybersecurity/comments/1c850i2/all_versions_of_crush_ftp_are_v… (related)
www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-… (media-coverage)
www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_cr… (third-party-advisory)
www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enabl… (third-party-advisory)
github.com/airbus-cert/CVE-2024-4040 (exploit)

Frequently asked questions

What is CVE-2024-4040?: CVE-2024-4040 is a critical-severity vulnerability in Crushftp, classified under Improper Neutralization of Special Elements Used in a Template Engine. CVSS score: 9.8/10. Published 2024-04-22.
How severe is CVE-2024-4040?: Critical severity. CVSS v3 base score is 9.8 out of 10.
Is CVE-2024-4040 known to be exploited?: Yes. CVE-2024-4040 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2024-04-24), indicating it is being actively exploited. 67 public proof-of-concept repositories are indexed.