CVE-2023-43177

Name of the Vulnerable Software and Affected Versions CrushFTP versions prior to 10.5.1

Description The issue is related to errors in handling input data in the Object Attribute Handler component of the CrushFTP cross-platform FTP server. Exploitation of this issue may allow a remote attacker to execute arbitrary code by sending specially crafted requests containing AS2 headers. The vulnerability is associated with improper handling of AS2 headers in CrushFTP, allowing an attacker to gain control over user information Java Properties, set arbitrary permissions for reading and deleting files, and potentially lead to system compromise and remote code execution at the root level. It is estimated that thousands of organizations are threatened by this issue, with about 46,088 results mainly distributed in the United States, Germany, and other countries.

Recommendations For CrushFTP versions prior to 10.5.1, update to version 10.5.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the AS2 functionality to minimize the risk of exploitation. Additionally, monitor server activity related to AS2, as any such activity should raise immediate suspicions as a potential precursor to an attack.