A critical zero-day vulnerability, identified as CVE-2024-4040, is being exploited in the wild, targeting U.S. organizations that use CrushFTP servers.
The vulnerability allows remote attackers to bypass system security, download files, and potentially gain full system control.
The flaw impacts versions prior to 10.7.1 and 11.1.0 of CrushFTP, as well as all legacy CrushFTP 9 installations.
Organizations are advised to update their systems to the patched version and implement additional security measures to mitigate the risk.