Security News > 2023 > November > Exploit for CrushFTP RCE chain released, patch now

Exploit for CrushFTP RCE chain released, patch now
2023-11-18 15:06

A proof-of-concept exploit was publicly released for a critical remote code execution vulnerability in the CrushFTP enterprise suite, allowing unauthenticated attackers to access files on the server, execute code, and obtain plain-text passwords.

Today, Converge published a proof-of-concept exploit for the CVE-2023-43177 flaw, making it critical for CrushFTP users to install the security updates as soon as possible.

Exploiting CrushFTP. The CrushFTP exploit is conducted through an unauthenticated mass-assignment vulnerability, exploiting the AS2 header parsing to control user session properties.

It's vital to implement these security measures as soon as possible, as the publicly disclosed exploit details of CVE-2023-43177 are likely to be used by hackers in opportunistic attacks.

RCE exploit for Wyze Cam v3 publicly released, patch now.

Exploit available for critical WS FTP bug exploited in attacks.


News URL

https://www.bleepingcomputer.com/news/security/exploit-for-crushftp-rce-chain-released-patch-now/

Related news

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-11-18 CVE-2023-43177 Improper Control of Dynamically-Managed Code Resources vulnerability in Crushftp
CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
network
low complexity
crushftp CWE-913
critical
 9.8
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Crushftp 1 0 6 0 3 9