CVE-2024-4040
Published: 22 April 2024
Summary
CVE-2024-4040 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Crushftp Crushftp. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-4040 is a server-side template injection vulnerability affecting CrushFTP versions prior to 10.7.1 and 11.1.0 across all platforms. The flaw, tracked under CWE-1336 and CWE-94, permits unauthenticated remote attackers to escape the virtual file system sandbox, read arbitrary files on the underlying host, bypass authentication controls, and execute arbitrary code with administrative privileges.
Unauthenticated attackers with network access can exploit the issue by submitting crafted template expressions that are processed on the server. Successful exploitation grants full read access outside the intended VFS boundaries, administrative login bypass, and remote code execution, resulting in complete server compromise as reflected by the CVSS 9.8 base score.
Vendor advisories direct administrators to upgrade immediately to CrushFTP 10.7.1 or 11.1.0; the updates close the template injection vector and are referenced in the official CrushFTP wiki update pages. Public exploit code and technical analyses have been published on GitHub and by Rapid7.
The vulnerability was disclosed as an actively exploited zero-day, with security researchers and media outlets confirming in-the-wild attacks shortly after publication. The associated EPSS score remains elevated, with a current value of 0.9443 and a recorded peak of 0.9679.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-32605
Vulnerability details
A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and…
more
perform remote code execution on the server.
- CWE(s)
- KEV Date Added
- 24 April 2024
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-4040 (SSTI in CrushFTP) enables exploitation of a public-facing application (T1190) for unauthenticated arbitrary file reads facilitating data from local system (T1005) and credentials in files (T1081), authentication bypass for admin access via exploitation for privilege escalation (T1068) and credential access (T1212).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.