Security News > 2023 > November > Exploit for CrushFTP RCE chain released, patch now
A proof-of-concept exploit was publicly released for a critical remote code execution vulnerability in the CrushFTP enterprise suite, allowing unauthenticated attackers to access files on the server, execute code, and obtain plain-text passwords.
Today, Converge published a proof-of-concept exploit for the CVE-2023-43177 flaw, making it critical for CrushFTP users to install the security updates as soon as possible.
Exploiting CrushFTP. The CrushFTP exploit is conducted through an unauthenticated mass-assignment vulnerability, exploiting the AS2 header parsing to control user session properties.
It's vital to implement these security measures as soon as possible, as the publicly disclosed exploit details of CVE-2023-43177 are likely to be used by hackers in opportunistic attacks.
RCE exploit for Wyze Cam v3 publicly released, patch now.
Exploit available for critical WS FTP bug exploited in attacks.
News URL
https://www.bleepingcomputer.com/news/security/exploit-for-crushftp-rce-chain-released-patch-now/
Related news
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-18 | CVE-2023-43177 | Improper Control of Dynamically-Managed Code Resources vulnerability in Crushftp CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes. | 9.8 |