Vulnerable CrushFTP file transfer server software instances impacted by a critical virtual file system escape zero-day have been subjected to ongoing targeted attacks that could enable the download of system files, Security Affairs reports.
Such intrusions leveraging the flaw, which was discovered by Airbus CERT's Simon Garrelou, have already been identified by CrowdStrike's Falcon OverWatch and Falcon Intelligence threat intelligence offerings, said CrowdStrike in a Reddit post.
Meanwhile, fixes for the issue have already been issued by CrushFTP in v11.1.0 of the software that enables file transfers through FTP, HTTP, SFTP, FTPS, WebDAV, and WebDAV SSL protocols.
"CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files… Customers using a DMZ in front of their main CrushFTP instance are protected with its protocol translation system it utilizes," said CrushFTP, which also offers automation, user management, scripting, and customization support to organizations.
