A critical vulnerability (CVE-2023-43177) in CrushFTP allows hackers to access files, execute code, and steal passwords. Although a fix was issued in version 10.5.2, a recent public exploit by Converge demands immediate updates for CrushFTP users. This exploit lets attackers read, delete files, and potentially gain total control over systems using specific web ports and functions in CrushFTP.
Approximately 10,000 vulnerable instances exist, making them attractive targets for ransomware actors like Clop. Despite patches, the risk persists as attackers may exploit reverse engineered patches. Users must swiftly update their Crust FTP to remain secure.
To effectively mitigate this risk, researchers at Converge recommend the following steps:
-
Update CrushFTP to the latest version.
-
Enable automatic security patch updates.
-
Change the password algorithm to Argon.
-
Audit for unauthorized users and check for recent password changes.
-
Activate the new Limited Server mode for enhanced security.
-
Additional measures that can be implemented to enhance CrushFTP security further include:
-
Using a limited privilege operating system service account for CrushFTP.
-
Deploying Nginx or Apache as a reverse proxy for public-facing servers.
-
Setting firewall rules to limit CrushFTP traffic to trusted IP ranges and hosts.