CrushFTP: Attacks on admins possible
Attackers can hide malicious code in CrushFTP logs. Versions equipped against this are available.
(Image: Artur Szczybylo/Shutterstock.com)
The CrushFTP file transfer software is vulnerable. If attacks are successful, attackers can completely compromise systems. A security update has been available since November of this year. However, information on the closed vulnerability has only now been published.
Critical malware vulnerability
Anyone using CrushFTP should ensure that version 10.8.3 or 11.2.3 is installed. Support for CrushFTP 7, 8 and 9 has expired and these versions will no longer receive security updates. If you are still using one of these versions, you should upgrade for security reasons.
Because input in the host header is processed incorrectly, an attacker can exploit the"critical" vulnerability (CVE-2024-11986) without authentication. In the course of the attack, he can permanently place malicious code in the web application log (Stored XSS). If an admin calls up the log, the malicious code is executed.
Videos by heise
It is currently not known whether there are already attacks. It also remains unclear how admins can recognize attacked PCs.
(des)
