Rapid7 Vulnerability & Exploit Database

CrushFTP Unauthenticated RCE

Back to Search

CrushFTP Unauthenticated RCE



This exploit module leverages an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability (CVE-2023-43177) to achieve unauthenticated remote code execution. This affects CrushFTP versions prior to 10.5.1. It is possible to set some user's session properties by sending an HTTP request with specially crafted Header key-value pairs. This enables an unauthenticated attacker to access files anywhere on the server file system and steal the session cookies of valid authenticated users. The attack consists in hijacking a user's session and escalates privileges to obtain full control of the target. Remote code execution is obtained by abusing the dynamic SQL driver loading and configuration testing feature.


  • Ryan Emmons
  • Christophe De La Fuente




java, x64, x86


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/http/crushftp_rce_cve_2023_43177
msf exploit(crushftp_rce_cve_2023_43177) > show targets
msf exploit(crushftp_rce_cve_2023_43177) > set TARGET < target-id >
msf exploit(crushftp_rce_cve_2023_43177) > show options
    ...show and set options...
msf exploit(crushftp_rce_cve_2023_43177) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security