CVE-2024-4040 Detection: A Critical CrushFTP Zero-Day Vulnerability Exploited in the Wild Targeting U.S. Organizations
Table of contents:
While CVE-2024-21111 exploitation risks have been a serious concern for organizations leveraging Oracle Virtualbox software, another critical vulnerability has been hitting the headlines. CrushFTP has recently reported a novel largely exploited zero-day vulnerability impacting the servers. The maximum severity flaw tracked as CVE-2024-4040 can be weaponized in a series of in-the-wild attacks against organizations in the U.S. and can potentially lead to RCE and complete system takeover.
Detect CVE-2024-4040 Exploitation Attempts
The exponential rise in adversary campaigns that weaponize security bugs in popular software solutions underscores the need to elevate cyber defenses at scale and explore new ways for proactive vulnerability identification and detection. SOC Prime Platform offers the world’s largest Detection-as-Code library of algorithms, addressing any cyber attack or emerging threat under a 24-hour SLA. Log into the Platform and drill down to the curated detection algorithm addressing potential exploitation attempts targeting a new CrushFTP zero-day vulnerability known as CVE-2024-4040.
Sigma rule to detect CVE-2024-4040 exploitation attempts
This detection algorithm developed by our Threat Bounty content author Bogac KAYA is aligned with the MITRE ATT&CK® framework, addressing the Initial Access tactic and the corresponding Exploit Public-Facing Application (T1190) technique. The rule can be applied across dozens of SIEM, EDR, and Data Lake technologies helping defenders accelerate their Detection Engineering routine.
Aspiring and skilled detection content authors are welcome to embark on their Threat Bounty Program journey, our crowdsourced initiative enabling defenders to both advance and monetize their Detection Engineering skills. Check out the recording of our latest interactive workshop to learn how to make the most of your Threat Bounty Program participation, get your detection content successfully published, and continuously improve your maturity and detection content quality.
Enterprises constantly challenged with higher velocity requirements in their SOC operations due to the ever-expanding attack surface are seeking ways to redefine and supercharge their threat detection strategies. Click the Explore Detections button to access the extensive feed of SOC content for CVE detection and contribute to strengthening your organization’s defenses.
CVE-2024-4040 Analysis
A new zero-day vulnerability in CrushFTP servers, identified as CVE-2024-4040, poses high risks to multiple U.S. organizations. Defenders have already reported incidents of in-the-wild attacks leveraging the existing CVE-2024-4040 exploit. The discovered CrushFTP flaw, with a maximum severity CVSS score of 10.0, is a server-side template injection vulnerability impacting the versions prior to 10.7.1 and 11.1.0, along with all legacy CrushFTP 9 installations.
CVE-2024-4040 enables unauthenticated remote attackers to bypass a virtual file system sandbox while giving them the green light to download system files and potentially leading to the full system compromise. Rapid7 researchers point to the escalating risks CVE-2024-4040 can pose to compromised customers since the flaw is easy to exploit, enabling arbitrary file read as root, authentication bypass for administrator account access, and complete RCE. According to researchers, attacks weaponizing the flaw are highly likely politically driven and targeted for intelligence gathering across various U.S. organizations.
Even though the vendor has urgently responded to the threat by releasing the patched version 11.1.0 and covering the related security advisory with recommendations for minimizing the risks, CVE-2024-4040 has been observed in the ongoing attacks weaponizing the publicly accessible exploit.
For CVE-2024-4040 mitigation, the vendor, along with the global defender community, strongly recommends organizations that rely on CrushFTP servers instantly update their systems to the patched version of the product. Rapid7 also recommends enhancing the security of CrushFTP servers against administrator-level RCE attacks by enabling Limited Server mode with the most stringent configuration available. Additionally, customers can rely on firewalls to aggressively limit access to CrushFTP services to specific IP addresses wherever feasible.
With the PoC exploit release, attacks abusing the CrushFTP vulnerability are expected to continue targeting unpatched servers. SOC Prime curates its complete suite of products for collective cyber defense based on threat intelligence exchange, crowdsourcing, zero-trust, and AI to help businesses eliminate the risks of emerging attacks of any scale and impact.