CVE-2024-4040 – CVE-2024-4040 is a critical server-side templat... (How to Fix)

Q: What is the severity of CVE-2024-4040?

CVE-2024-4040 has a CVSS score of 9.8 (CRITICAL). CVE-2024-4040 is a critical server-side template injection vulnerability in CrushFTP that allows unauthenticated attackers to read files outside the sandbox, bypass authentication to gain admin access, and execute arbitrary code. All CrushFTP versions before 10.7.1 and 11.1.0 are affected across all platforms. This enables complete server compromise without requiring any authentication.

📋 TL;DR

CVE-2024-4040 is a critical server-side template injection vulnerability in CrushFTP that allows unauthenticated attackers to read files outside the sandbox, bypass authentication to gain admin access, and execute arbitrary code. All CrushFTP versions before 10.7.1 and 11.1.0 are affected across all platforms. This enables complete server compromise without requiring any authentication.

💻 Affected Systems

Products:

CrushFTP

Versions: All versions before 10.7.1 and 11.1.0

Operating Systems: All platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All CrushFTP installations with default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Crushftp by Crushftp

View all CVEs affecting Crushftp →

Crushftp by Crushftp

View all CVEs affecting Crushftp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover with administrative privileges, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Unauthenticated remote code execution leading to data theft, ransomware deployment, or server compromise.

🟢

If Mitigated

Limited impact if patched immediately and proper network segmentation is in place.

🌐 Internet-Facing: HIGH - Unauthenticated exploit allows complete compromise from internet-facing servers.

🏢 Internal Only: HIGH - Even internal servers are vulnerable to network-accessible attacks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available, actively exploited in the wild. Attack requires no authentication and minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.7.1 or 11.1.0

Vendor Advisory: https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update

Restart Required: Yes

Instructions:

1. Download latest version from CrushFTP website. 2. Stop CrushFTP service. 3. Install update. 4. Restart service. 5. Verify version is 10.7.1+ or 11.1.0+.

🔧 Temporary Workarounds

Network Isolation

linux

Restrict network access to CrushFTP servers using firewall rules

iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

Disable Web Interface

all

Temporarily disable web interface if not required

Edit CrushFTP config to disable web server

🧯 If You Can't Patch

Immediately isolate affected servers from internet and restrict internal network access
Implement strict network monitoring and IDS/IPS rules to detect exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check CrushFTP version in admin interface or via systemctl status crushftp

Check Version:

grep 'CrushFTP Version' /path/to/crushftp/logs/server.log | tail -1

Verify Fix Applied:

Verify version shows 10.7.1 or higher for v10, or 11.1.0 or higher for v11

📡 Detection & Monitoring

Log Indicators:

Unusual template processing errors
Unauthenticated admin login attempts
File read operations outside VFS

Network Indicators:

HTTP requests with template injection payloads
Unauthenticated requests to admin endpoints

SIEM Query:

source="crushftp.logs" AND ("template" OR "sandbox" OR "unauth")

📊 Metadata

CVE ID: CVE-2024-4040

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1336

Published: April 22, 2024

Last Updated: February 26, 2026

🔗 References

https://github.com/airbus-cert/CVE-2024-4040 Exploit,Third Party Advisory
https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/ Press/Media Coverage,Third Party Advisory
https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update Patch,Vendor Advisory
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update Patch,Vendor Advisory
https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/ Third Party Advisory
https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/ Exploit,Issue Tracking
https://www.reddit.com/r/cybersecurity/comments/1c850i2/all_versions_of_crush_ftp_are_vulnerable/ Issue Tracking,Patch
https://github.com/airbus-cert/CVE-2024-4040 Exploit,Third Party Advisory
https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/ Press/Media Coverage,Third Party Advisory
https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update Patch,Vendor Advisory
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update Patch,Vendor Advisory
https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/ Third Party Advisory
https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/ Exploit,Issue Tracking
https://www.reddit.com/r/cybersecurity/comments/1c850i2/all_versions_of_crush_ftp_are_vulnerable/ Issue Tracking,Patch
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4040 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4040, you might also want to check these: