Statement on CVE 2024-4040 Unauthenticated Arbitrary File Read and Remote Code Execution in CrushFTP

May 10, 2024

Information

A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.

Risk

Low

Response

Melissa Data Corporation (“Melissa”) was not impacted by the CrushFTP vulnerability as we do not utilize the affected version of CrushFTP for any Melissa commercial web services or products.

Melissa will continue to follow all guidance provided for this vulnerability as necessary to prevent any future risks.