July 18th there is a 0-day exploit in the wild. A CVE has been submitted and we are awaiting the assigned of the ID.
Hackers apparently reverse engineered our code and found some bug we had, which we had already fixed, and are exploiting it for anyone who has not stayed up to date.
We believe this bug was in builds prior to July 1st time period roughly...we are not fully certain of the exact bug that is being exploited, but it appears the latest versions of CrushFTP already have the issue patched. The attack vector was HTTP(S) for how they could exploit the server.
As always we recommend regularly and frequent patching.
We don't believe people with a DMZ CrushFTP in front of their main are affected by this.
Affected Versions:#
All version 10 below 10.8.5.All version 11 below 11.3.4_23.
If you were exploited:#
restore a prior default user from your backup folder from before the exploit. CrushFTP folder/backup/users/MainUsers/default.....These zip files cannot be extracted with native windows unzip and need winrar or macos or winzip etc to extract them.
Restore it to your CrushFTP folder/users/MainUsers/default
Future mitigation techniques:#
Limit IPs allowed for administrationWhitelist IPs that can connect to your server
Enterprise users use a DMZ Crush instance in front
Allow automatic and frequent patching
Compromise indicators:#
Your default user has "last_logins" in it...this would not be normal.The modified date on your default user.XML is recent...
Default user has admin access...
Add new attachment
- WebInterface
- Server Admin
- User Manager
- Client Apps
- CrushBalance Load Balancer
- High Availability
- Self Registration
- Preferences
- Email Templates
- Restrictions
- Replication
- Banning
- Logging
- Encryption
- Alerts
- Folder Monitor
- Tunnels
- Syncs
- User Config
- Search Config
- Preview
- Misc
- Plugins
- Manage Shares
- PGP
- Telnet
- FAQ
- API
- Linux Install
- Virtual Linux Server
- Server Variables
- Google Authenticator and Microsoft Authenticator
- AS2 EDI