Users of enterprise file transfer software CrushFTP are being urged to update to the latest version after a security flaw was discovered that could be exploited in a targeted manner in the wild.
“CrushFTP v11 versions below 11.1 have a vulnerability that allows users to escape VFS and download system files,” CrushFTP said in an advisory published Friday. “This was patched in v11.1.0.”
That said, customers who operate CrushFTP instances within the restricted environment of a DMZ (demilitarized zone) are protected from attacks.
Simon Garrelou of Airbus CERT is credited with discovering and reporting this flaw. CVE identifier has not yet been assigned.
CrowdStrike, a cybersecurity company, said in a post shared on Reddit that it has observed an exploit for this flaw being used in the wild “in a targeted manner.”
These intrusions are said to have primarily targeted US companies, and the intelligence-gathering operations are suspected to have been politically motivated.
“CrushFTP users should continue to follow their vendor's website for the latest instructions and prioritize patching,” CrowdStrike said.
