CrushFTP, a widely used enterprise file transfer software, has recently been the subject of a security alert urging users to upgrade to the latest version following the discovery of a significant vulnerability. This flaw, found in versions prior to CrushFTP v11.1, allows users to bypass the Virtual File System (VFS) and access system files, posing a serious security risk. The vulnerability was identified by Simon Garrelou of Airbus CERT and has been promptly addressed in the latest software release, CrushFTP v11.1.0, effectively patching the security gap.
Despite the availability of a fix, the issue gained considerable attention after cybersecurity firm CrowdStrike reported observing exploits of the vulnerability being used in targeted attacks. These attacks have primarily affected U.S. entities and are suspected to be politically motivated for intelligence gathering. The nature of the attacks and the specifics of the targets have heightened concerns over the potential impact of the vulnerability.
CrowdStrike’s findings underscore the criticality of updating CrushFTP software to the latest version to mitigate potential threats. Users operating their CrushFTP instances within a demilitarized zone (DMZ) are reportedly shielded from these attacks, providing an additional layer of security. However, for most users, updating to v11.1.0 remains the most direct and effective method to secure their systems against possible exploitation.