CVE-2024-4040

ENISA EUVD: EUVD-2024-32605 ↗

Exploited in the Wild ✓ Confirmed 0-Day

Triaged: March 5, 2026 5 articles Published: 2024-04-22

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

94.43%

probability

This CVE has a 94.43% probability of being exploited in the next 30 days.

0% Top 100.0th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

9.8

CRITICAL

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

VulnerabilityLookup (CNA)

A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.

Affected Products

CrushFTP

10.0 11.0

crushftp

CrushFTP

11.0 <11.1.0

CrushFTP

10.0 <10.7.1

CrushFTP

Attack Intelligence

CWE-1336 · Improper Neutralization of Special Elements Used in a Template Engine CWE-664 · Improper Control of a Resource Through its Lifetime CWE-707 · Improper Neutralization CWE-74 · Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-913 · Improper Control of Dynamically-Managed Code Resources CWE-94 · Code Injection

Exploits & PoC

Stuub/CVE-2024-4040-SSTI-LFI-PoC

CVE-2024-4040 CrushFTP SSTI LFI & Auth Bypass | Full Server Takeover | Wordlist Support

62 2024-07-07

airbus-cert/CVE-2024-4040

Scanner for CVE-2024-4040

52 2024-05-17

rbih-boulanouar/CVE-2024-4040

14 2024-04-25

geniuszly/GenCrushSSTIExploit

is a PoC for CVE-2024-4040 tool for exploiting the SSTI vulnerability in CrushFTP

8 2024-09-30

gotr00t0day/CVE-2024-4040

A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote att

6 2024-05-04

dhammerg/CVE-2024-4040

Exploit CrushFTP CVE-2024-4040

5 2024-04-30

jakabakos/CVE-2024-4040-CrushFTP-File-Read-vulnerability

4 2024-05-02

entroychang/CVE-2024-4040

CVE-2024-4040 PoC

3 2024-07-09

Mufti22/CVE-2024-4040

A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote att

0 2024-04-25

0xN7y/CVE-2024-4040

exploit for CVE-2024-4040

0 2024-04-28

Praison001/CVE-2024-4040-CrushFTP-server

Exploit for CVE-2024-4040 affecting CrushFTP server in all versions before 10.7.1 and 11.1.0 on all platforms

0 2024-04-29

1ncendium/CVE-2024-4040

A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote att

0 2024-05-13

olebris/CVE-2024-4040

CVE-2024-4040 PoC

0 2024-06-28

safeer-accuknox/CrushFTP-cve-2024-4040-poc

0 2024-10-16

rahisec/CVE-2024-4040

0 2024-10-23

ill-deed/CrushFTP-CVE-2024-4040-illdeed

Exploit for CVE-2024-4040 – Authentication bypass in CrushFTP via CrushAuth cookie and AWS-style header spoofing. Stealthy Python PoC with secure toke

0 2025-07-04

juanorts/CrushFTP10-Docker-CVE-2024-4040

A Dockerized setup for running a vulnerable CrushFTP 10 server instance (CVE-2024-4040).

0 2025-11-06

Sidjaz/CrushFTP-CVE-2024-4040-Proof-of-Concept

0 2026-05-08

18 repos — triés par ⭐ Rechercher sur GitHub ↗

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update

vendor-advisory

https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update

vendor-advisory

https://www.reddit.com/r/cybersecurity/comments/1c850i2/all_versions_of_crush_ftp_are_vulnerable/

https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/

media-coverage

https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/

third-party-advisory

https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/

third-party-advisory

Signal Intelligence

Confidenceⓘ

85%

EPSS 94.43%

CVSS v3.1 9.8

Mentions 5

Last Seen Mar 03, 2026

CNA Information

CNA Assigner

directcyber

CNA Title

Unauthenticated arbitrary file read and remote code execution in CrushFTP

Analyst Note

BleepingComputer article explicitly identifies CVE-2024-4040 as an 'exploited zero-day' with CrushFTP warning users to patch 'immediately', indicating active exploitation preceded patch availability. CVE published April 22, 2024 with critical CVSS 9.8 severity supports rapid exploitation timeline.