CVE-2023-43177
Published: 18 November 2023
Summary
CVE-2023-43177 is a critical-severity Improper Control of Dynamically-Managed Code Resources (CWE-913) vulnerability in Crushftp Crushftp. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CrushFTP versions prior to 10.5.1 are affected by CVE-2023-43177, an instance of Improperly Controlled Modification of Dynamically-Determined Object Attributes tracked as CWE-913. The flaw carries a CVSS 3.1 base score of 9.8 with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a remotely exploitable condition that can compromise confidentiality, integrity, and availability without any authentication or user interaction.
Unauthenticated attackers with network access can supply crafted input that manipulates object attributes at runtime, enabling them to achieve arbitrary code execution or full system compromise on the affected CrushFTP server.
Public references describe the issue as a zero-day disclosure and point to technical write-ups and pending GitHub disclosures that focus on the discovery timeline; the version constraint in the CVE record itself indicates that upgrading to CrushFTP 10.5.1 or later addresses the vulnerability.
The associated EPSS score reached a peak of 0.9662 and remains elevated at 0.7682, reflecting substantial post-disclosure exploitation interest that warrants renewed attention from defenders.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-47596
Vulnerability details
CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring explicit authorization and ongoing control of mobile code implements proper management of dynamically loaded code resources.