ART & CULTURE
Critical CrushFTP Vulnerability Exploited by Hackers—Update Now to Prevent Breach
Newly discovered CrushFTP flaw enables threat actors to bypass authentication and access sensitive files, prompting urgent calls for immediate patching and global security reviews.
Hackers Exploit Critical CrushFTP Flaw to Breach Enterprise Networks Worldwide
By EL Ouchen, International Cybersecurity Correspondent
July 20, 2025
In a chilling escalation of cyber intrusions, a critical zero-day vulnerability in CrushFTP, a widely used secure file transfer server, has been exploited by malicious actors to silently infiltrate enterprise systems across the globe. The flaw, tracked as CVE-2024-4040, enables unauthenticated attackers to gain elevated privileges and exfiltrate sensitive data without detection.
“This is a high-severity, real-world exploit affecting active production systems,” said Simon Garrel, a threat analyst at Rapid7. “What makes this attack particularly dangerous is its stealth—it bypasses authentication mechanisms and leaves minimal traces.”
The vulnerability affects CrushFTP versions before 10.7.1 and 11.1.0, allowing attackers to abuse a path traversal flaw in the WebInterface, granting them unauthorized access to system files. Once inside, hackers can download configuration data, including user credentials and encrypted password keys, effectively compromising the entire CrushFTP environment.
Technical Breakdown
Researchers revealed that attackers leveraged the flaw by crafting malicious VFS (Virtual File System) entries. These entries trick CrushFTP into displaying and granting access to files located outside the user’s intended directory scope.
Crucially, the exploit:
- Does not require prior authentication
- Grants access to sensitive server files (
prefs.XML,users/MainUsers/) - Bypasses the server’s normal access restrictions
- Can lead to complete system compromise
A proof-of-concept shared by Rapid7 shows how a malicious user could retrieve encrypted admin credentials by manipulating VFS paths via a standard HTTP request to the WebInterface.
httpGET /WebInterface/function/?command=vfs&vfs=/../../../../users/MainUsers/ HTTP/1.1
Host: target-crushftp-server.com
Once credentials are obtained and decrypted (if password secrets are weak), attackers can escalate privileges or move laterally within the network.
Global Impact
CrushFTP is used by governments, financial institutions, healthcare providers, and tech firms—making this exploit a severe threat across critical sectors.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a formal advisory on July 19, urging immediate patching and compromise assessments.
“Organizations running CrushFTP must upgrade to the patched versions immediately. This vulnerability is under active exploitation and poses a high risk to sensitive data,” warned CISA in its bulletin.
Vendor Response and Mitigation
CrushFTP was notified responsibly and released emergency patches (v10.7.1 and v11.1.0) within days. The vendor also published an official advisory with mitigation steps.
Recommended actions:
- Upgrade CrushFTP to the latest secure version
- Audit logs for unauthorized VFS access
- Rotate any credentials stored in CrushFTP
- Monitor for signs of lateral movement
Organizations should also check whether they were running vulnerable versions between February and July 2025, as attackers appear to have launched the campaign months before public disclosure.
Broader Significance
This incident underscores the growing danger of zero-day attacks on widely deployed infrastructure software, especially in secure file transfer systems that often handle sensitive client and operational data.
It also reveals a disturbing trend: threat actors exploiting file servers not just to steal data, but to use them as launchpads for deeper network intrusions.
“This is not just a CrushFTP issue—it’s a wake-up call about secure file transfer systems in general. They are high-value targets, and attackers know it,” said Elena Kozlova, senior researcher at SentinelOne.
Conclusion
As cyberattacks grow more targeted and stealthy, organizations must move beyond reactive patching and embrace proactive threat hunting, configuration auditing, and secure architecture principles. For users of CrushFTP, the message is clear: patch now, audit deeply, and remain vigilant.
Source:
The Hacker News – Hackers Exploit Critical CrushFTP Flaw