5 min read

Security Insights: Detecting CVE-2024-4040 Exploitation in CrushFTP

Analysis of the CrushFTP server-side template injection vulnerability and detection strategies for identifying exploitation attempts.

cve crushftp ssti exploitation detection splunk

Originally published on the Splunk Security Blog
Read the full article: Detecting CVE-2024-4040 in CrushFTP

The Vulnerability

CVE-2024-4040 is a server-side template injection (SSTI) vulnerability in CrushFTP allowing unauthenticated attackers to:

  • Read arbitrary files
  • Execute arbitrary code
  • Bypass authentication

CVSS Score: 9.8 (Critical)

Attack Vector

The vulnerability exists in the WebInterface component. Attackers inject template expressions that get evaluated server-side:

GET /WebInterface/function/?command=zip&c2f=AAAA&path=<INCLUDE>/etc/passwd</INCLUDE>

Why It’s Dangerous

  • No authentication required
  • File transfer servers often internet-facing
  • Contains sensitive data
  • Active exploitation in the wild

Detection Strategies

Web Logs

index=web sourcetype=crushftp 
  uri_path="*WebInterface*" 
  (uri_query="*INCLUDE*" OR uri_query="*c2f*")
| table _time, src_ip, uri_path, uri_query, status

Network Indicators

index=proxy dest_port=443 
  uri="*WebInterface/function*" 
  uri="*INCLUDE*"
| stats count by src_ip, dest, uri

Post-Exploitation Activity

index=sysmon EventCode=1 
  ParentImage="*CrushFTP*" OR ParentImage="*java*"
| where Image!="*java*"
| table _time, Computer, Image, CommandLine

Indicators of Compromise

  • Requests containing <INCLUDE> tags
  • Access to /WebInterface/function/ with c2f parameter
  • Unusual child processes from CrushFTP/Java

Mitigation

  • Update CrushFTP immediately
  • Enable DMZ mode if update not possible
  • Monitor for exploitation attempts
  • Review access logs for suspicious activity

Read the full analysis: Detecting CVE-2024-4040 in CrushFTP

Related Modules

Active

Atomics on a Friday

Weekly YouTube show exploring atomic tests, detection engineering, and security research. Live demonstrations and deep dives into attack techniques.

youtube atomic-red-team detection education +1
View Module → GitHub
Active

Bootloaders.io

A curated list of known malicious bootloaders for various operating systems. Track and catalog bootloader threats with detection rules and hash prevention.

bootloader bootkit detection defense +1
View Module → GitHub