module
CrushFTP Unauthenticated RCE
| Disclosed |
|---|
| Aug 8, 2023 |
Disclosed
Aug 8, 2023
Description
This exploit module leverages an Improperly Controlled Modification
of Dynamically-Determined Object Attributes vulnerability
(CVE-2023-43177) to achieve unauthenticated remote code execution.
This affects CrushFTP versions prior to 10.5.1.
It is possible to set some user's session properties by sending an HTTP
request with specially crafted Header key-value pairs. This enables an
unauthenticated attacker to access files anywhere on the server file
system and steal the session cookies of valid authenticated users. The
attack consists in hijacking a user's session and escalates privileges
to obtain full control of the target. Remote code execution is obtained
by abusing the dynamic SQL driver loading and configuration testing
feature.
of Dynamically-Determined Object Attributes vulnerability
(CVE-2023-43177) to achieve unauthenticated remote code execution.
This affects CrushFTP versions prior to 10.5.1.
It is possible to set some user's session properties by sending an HTTP
request with specially crafted Header key-value pairs. This enables an
unauthenticated attacker to access files anywhere on the server file
system and steal the session cookies of valid authenticated users. The
attack consists in hijacking a user's session and escalates privileges
to obtain full control of the target. Remote code execution is obtained
by abusing the dynamic SQL driver loading and configuration testing
feature.
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.