CVE-2024-4040: CrushFTP VFS Sandbox Escape Vulnerability

CVE ID

CVE-2024-4040

Vulnerability Name

CrushFTP VFS Sandbox Escape Vulnerability

• Project: CrushFTP
• Product: CrushFTP

Date

• Date Added: 2024-04-24
• Due Date: 2024-05-01

Description

CrushFTP contains an unspecified sandbox escape vulnerability that allows a remote attacker to escape the CrushFTP virtual file system (VFS).

Known To Be Used in Ransomware Campaigns?

Unknown

Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Additional Notes

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update&version=34; https://nvd.nist.gov/vuln/detail/CVE-2024-4040

Related Security News

• Critical CrushFTP vulnerability exploited. Have you been targeted? (CVE-2025-54309)
• Over 1,000 CrushFTP servers exposed to ongoing hijack attacks
• Hackers Exploit Critical CrushFTP Flaw to Gain Admin Access on Unpatched Servers
• Critical auth bypass bug in CrushFTP now exploited in attacks
• CrushFTP warns users to patch unauthenticated access flaw immediately

More CVEs Info

Common Vulnerabilities & Exposures (CVE) List