Cyber Resilience

CVE-2023-43177

CriticalPublic PoC

Published: 18 November 2023

Published
18 November 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7682 99.0th percentile
Risk Priority 66 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-43177 is a critical-severity Improper Control of Dynamically-Managed Code Resources (CWE-913) vulnerability in Crushftp Crushftp. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CrushFTP versions prior to 10.5.1 are affected by CVE-2023-43177, an instance of Improperly Controlled Modification of Dynamically-Determined Object Attributes tracked as CWE-913. The flaw carries a CVSS 3.1 base score of 9.8 with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a remotely exploitable condition that can compromise confidentiality, integrity, and availability without any authentication or user interaction.

Unauthenticated attackers with network access can supply crafted input that manipulates object attributes at runtime, enabling them to achieve arbitrary code execution or full system compromise on the affected CrushFTP server.

Public references describe the issue as a zero-day disclosure and point to technical write-ups and pending GitHub disclosures that focus on the discovery timeline; the version constraint in the CVE record itself indicates that upgrading to CrushFTP 10.5.1 or later addresses the vulnerability.

The associated EPSS score reached a peak of 0.9662 and remains elevated at 0.7682, reflecting substantial post-disclosure exploitation interest that warrants renewed attention from defenders.

EU & UK References

Vulnerability details

CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

crushftp
crushftp
≤ 10.5.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-913

Requiring explicit authorization and ongoing control of mobile code implements proper management of dynamically loaded code resources.

References