CISA Known Exploited Vulnerability

This vulnerability is actively exploited in the wild and listed in the CISA Known Exploited Vulnerabilities catalog.

Remediation Deadline: May 1, 2024

CVE-2024-4040

High

EPSS 94.4%CISA KEV

Description

CrushFTP contains an unspecified sandbox escape vulnerability that allows a remote attacker to escape the CrushFTP virtual file system (VFS).

EPSS — Exploit Probability

94.4%

Higher than 100.0% of all CVEs

Required Action

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update&version=34; https://nvd.nist.gov/vuln/detail/CVE-2024-4040

Related Articles (1)

Vulnerabilities

Bruteforce Scans for CrushFTP , (Tue, Mar 3rd)

CrushFTP is a Java-based open source file transfer system. It is offered for multiple operating systems. If you run a CrushFTP instance, you may remember that the software has had some serious vulnerabilities: CVE-2024-4040 (the template-injection flaw that let unauthenticated attackers escape th...

Mar 3, 2026

Risk Assessment

HIGH

In CISA KEV

High EPSS

Details

Severity: High
EPSS: 94.4%
CISA KEV: Yes
Ransomware: Unknown
Articles: 1

Timeline

Published

Apr 24, 2024

Added to KEV

Apr 24, 2024

Remediation Due

May 1, 2024

Affected Product

CrushFTP

View all CrushFTP CVEs

External Links

NVD (NIST)CVE Details MITRE CVE