Security News > 2023 > November > Exploit for CrushFTP RCE chain released, patch now
A proof-of-concept exploit was publicly released for a critical remote code execution vulnerability in the CrushFTP enterprise suite, allowing unauthenticated attackers to access files on the server, execute code, and obtain plain-text passwords.
Today, Converge published a proof-of-concept exploit for the CVE-2023-43177 flaw, making it critical for CrushFTP users to install the security updates as soon as possible.
Exploiting CrushFTP. The CrushFTP exploit is conducted through an unauthenticated mass-assignment vulnerability, exploiting the AS2 header parsing to control user session properties.
It's vital to implement these security measures as soon as possible, as the publicly disclosed exploit details of CVE-2023-43177 are likely to be used by hackers in opportunistic attacks.
RCE exploit for Wyze Cam v3 publicly released, patch now.
Exploit available for critical WS FTP bug exploited in attacks.
News URL
https://www.bleepingcomputer.com/news/security/exploit-for-crushftp-rce-chain-released-patch-now/
Related news
- RCE exploit for Wyze Cam v3 publicly released, patch now (source)
- Calls for Visual Studio security tweak fall on deaf ears despite one-click RCE exploit (source)
- VMware warns admins of public exploit for vRealize RCE flaw (source)
- Citrix urges 'immediate; patch for critical NetScaler bug as exploit POC made public (source)
- Act Now: VMware Releases Patch for Critical vCenter Server RCE Vulnerability (source)
- CISA warns of actively exploited Juniper pre-auth RCE exploit chain (source)
- Kinsing malware exploits Apache ActiveMQ RCE to plant rootkits (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-18 | CVE-2023-43177 | Improper Control of Dynamically-Managed Code Resources vulnerability in Crushftp CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes. | 9.8 |