Security News > 2023 > November > Exploit for CrushFTP RCE chain released, patch now
A proof-of-concept exploit was publicly released for a critical remote code execution vulnerability in the CrushFTP enterprise suite, allowing unauthenticated attackers to access files on the server, execute code, and obtain plain-text passwords.
Today, Converge published a proof-of-concept exploit for the CVE-2023-43177 flaw, making it critical for CrushFTP users to install the security updates as soon as possible.
Exploiting CrushFTP. The CrushFTP exploit is conducted through an unauthenticated mass-assignment vulnerability, exploiting the AS2 header parsing to control user session properties.
It's vital to implement these security measures as soon as possible, as the publicly disclosed exploit details of CVE-2023-43177 are likely to be used by hackers in opportunistic attacks.
RCE exploit for Wyze Cam v3 publicly released, patch now.
Exploit available for critical WS FTP bug exploited in attacks.
News URL
https://www.bleepingcomputer.com/news/security/exploit-for-crushftp-rce-chain-released-patch-now/
Related news
- Microsoft SharePoint RCE flaw exploits in the wild – you've had 3 months to patch (source)
- 'Patch yesterday': Zimbra mail servers under siege through RCE vuln (source)
- Critical Ivanti RCE flaw with public exploit now used in attacks (source)
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- Qualcomm Urges OEMs to Patch Critical DSP and WLAN Flaws Amid Active Exploits (source)
- Akira and Fog ransomware now exploit critical Veeam RCE flaw (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- Emergency patch: Cisco fixes bug under exploit in brute-force attacks (source)
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-18 | CVE-2023-43177 | Improper Control of Dynamically-Managed Code Resources vulnerability in Crushftp CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes. | 9.8 |