Users of enterprise file transfer software CrushFTP have been urged to update to the latest version following the discovery of a security flaw that has been subject to targeted exploitation in the wild.
“CrushFTP v11 versions lower than 11.1 have a vulnerability where users can escape their VFS and download system files,” CrushFTP said in an advisory posted Friday. “This has been fixed in v11.1.0.”
That said, customers who use their CrushFTP instances within a restricted DMZ (demilitarized zone) environment are protected from attacks.
Simon Garrelou of Airbus CERT was credited with discovering and reporting the flaw. A CVE identifier has yet to be assigned.
Cybersecurity firm CrowdStrike, in a post shared on Reddit, said it had observed an exploit for the flaw being used in a “targeted” manner.
These intrusions are said to have primarily targeted US entities, with the intelligence gathering activity suspected to be politically motivated.
“CrushFTP users should continue to follow the vendor’s website for the most up-to-date instructions and prioritize patching,” CrowdStrike said.