Security Bulletin: CrushFTP Vulnerability (CVE-2024-4040)

Audience
Public
Product
FlashBlade
FlashArray
Content Type
Source Type
Common Vulnerabilities and Exposures (CVE)

Security Bulletin: CrushFTP Vulnerability (CVE-2024-4040)

Vulnerability Status: Final Source: Third Party / OSS Initial Publication Date: 2024-04-22 Last Updated: 2026-06-25 06:26:32

Summary:

A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.


CVE#: CVE-2024-4040

Vulnerability score (v3): 10

Vector (v3): 3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Severity (v3): 1 - Critical

Product(s): FlashArray, FlashBlade

Version First Fixed: Not affected


References:

https://nvd.nist.gov/vuln/detail/CVE-2024-4040