Tag Archive for: CrushFTP

Joseph Lee

April 2025 Threat Report: The Consequences Are Real

In the early days of digital, hacking was often fame or prank driven. Fast forward to 2025; hacking has been widely monetized for illicit gains. Cybercrime is predicted to cost the global economy 10.5 trillion Dollar in 2025. Globally, the trend of increasing geocriminality is pushing individual countries and entire economic regions [1][2] to make deeper commitments to cyber defenses. An accelerating threat environment underscores the urgency for proactive, well-funded cybersecurity strategies across all sectors, in all regions of the world.

The continuous deluge of critical vulnerabilities, novel attack techniques, active ransomware and espionage campaigns signal the need for comprehensive cybersecurity measures to prevent the most catastrophic consequences. In this month’s threat report, we will review the post pressing threats from the cybersecurity landscape that emerged in April 2025. Without further ado, let’s get started!

Considering the Consequences

Dire consequences loom for those unprepared to weather sophisticated cyber attacks. Ransomware is widely considered the biggest existential cyber threat business, but data breach lawsuits are escalating dramatically. Breach related class action filings have risen more than 1,265% over six years, with filings in the U.S. more than doubling from 604 in 2022 to 1,320 in 2023. Robust backups can help a victim escape paying ransom, and a well executed incident response plan may minimize downtime, but breach victims have little recourse from costs related to regulatory or legal action.

Equifax’s 2019 settlements are the highest in history for a cybersecurity-related incident – with a total cost estimated at 1.5 billion Dollar. Failure to patch CVE-2017-5638 in Apache Struts, was implicated as the root cause of the breach. In April 2025, U.S. defense contractor Raytheon agreed to pay an 8.5 million Dollar settlement for failing to implement required security measures for 29 of their Department of Defense (DoD) contracts.

Healthcare providers are especially hard-hit because personal healthcare information fetches roughly 1,000 Dollar per record on darkweb marketplaces, compared to 5 Dollar per record for payment card data due to its effective use in identifying fraud. In 2023, the U.S. healthcare sector reported 725 data breaches, exposing over 133 million records. Most recently, on April 23, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a 600,000 Dollar settlement with PIH Health, Inc. due to inadequate technical safeguards. However, legal consequences for cyber breaches are impacting organizations across all industries. Data breach-related securities class actions have also seen substantial settlements, with three of the top ten largest settlements occurring in 2024, totaling 560 million Dollar.

Considering the consequences, organizations should carefully assess their posture to cyber hygiene, paying special attention to core IT security best practices such as implementing multi-factor authentication (MFA), vulnerability management and network segmentation.

Verizon: Increase in Exploited Vulnerabilities for Initial Access

Verizon’s 2025 Data Breach Investigations Report (DBIR), released in April, reported a 34% increase in exploited vulnerabilities (CVEs) as a root cause of cyberbreaches occurring in between October 2023 and December 2024. Exploited vulnerabilities served as the initial access vector in 20% data breaches studied. While the report indicates that ransom payments are down – 64% of victim organizations did not pay the ransoms, compared to 50% two years ago – the rate of ransomware attacks increased by 37%.

Edge devices and VPNs accounted for 22% of exploitation actions – a sharp rise from just 3% the year before. Despite the growing threat, organizations fully remediated only about 54% of these vulnerabilities, with a median time to remediation of 32 days. Furthermore, edge exploitation for initial access reached 70% in espionage-motivated breaches. This trend of edge device exploitation shows no signs of abating; proactive vulnerability management is more critical than ever to reduce exposure and limit the impact of breaches.

Newly Emerging Threats on the Edge in April 2025

The message from cyber landscape reports is clear: organizations need to be acutely aware of their publicly exposed assets. Detection and remediation of vulnerabilities is critical. Below are the highlights of emerging threat activity affecting network edge devices in April 2025. Greenbone is able to detect all emerging threats referenced below and more.

  • SonicWall SMA100 Appliances: CVE-2023-44221 (CVSS 7.2) and CVE-2021-20035 (CVSS 6.5), both OS Command Injection Vulnerabilities [CWE-78] were added to CISA KEV (Cybersecurity and Infrastructure Security Agency; Known Exploited Vulnerabilities). In April, SonicWall also reported that Proof-of-Concept (PoC) exploits are now publicly available for another vulnerability: CVE-2024-53704 (CVSS 9.8).
  • Ivanti Connect Secure, Policy Secure, and ZTA Gateways: CVE-2025-22457 (CVSS 9.8) is a Stack-Based Buffer Overflow [CWE-121] vulnerability now being actively exploited. Google’s Mandiant threat research group attributed attacks to UNC5221, a Chinese (state sponsored) threat actor. Security firm GreyNoise also observed a 9X increase in bots scanning for exposed Connect Secure endpoints.
  • Fortinet FortiOS and FortiProxy: CVE-2025-24472 (CVSS 9.8) is an Authentication Bypass [CWE-288] flaw that could allow a remote attacker to gain super-admin privileges via crafted CSF proxy requests. The CVE is considered actively exploited. Fortinet also detailed new exploitation activity against older critical vulnerabilities in FortiGate devices, including CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762 (all CVSS 9.8).
  • Juniper Junos OS: CVE-2025-21590 (CVSS 6.7) is an actively exploited flaw that allows a local attacker with high privileges to compromise the integrity of the device. Classified as an Improper Isolation or Compartmentalization [CWE-653] weakness, a local attacker with access to the Juniper CLI shell can inject arbitrary code to compromise an affected device.
  • Multiple Cisco Flaws Exploited: Analysts confirmed targeted attacks against unpatched Cisco infrastructure, especially in telecom environments [1][2]. Chinese state-sponsored group Salt Typhoon continues to exploit CVE-2018-0171 (CVSS 9.8) in Smart Install RCE and CVE-2023-20198 (CVSS 10) in Web UI Privilege Escalation.
  • DrayTek Routers: Three CVEs have been observed in exploitation campaigns, including CVE-2020-8515 (CVSS 9.8), CVE-2021-20123 (CVSS 7.5) and CVE-2021-20124 (CVSS 7.5).
  • Microsoft Remote Desktop Gateway Service: CVE-2025-27480 is a Use After Free [CWE-416] flaw that allows an unauthorized attacker to execute code over a network. While active threats have not been observed yet, Microsoft tracks the vulnerability with an “Exploitation More Likely” status.
  • Erlang/OTP SSH has Public PoC Exploit: Multiple PoC exploits [1][2][3] are now publicly available for CVE-2025-32433 (CVSS 10), a new maximum-severity vulnerability in the Erlang/OTP SSH server. Erlang/OTP is a widely used platform for building scalable and fault-tolerant distributed systems and is in use by large technology companies such as Ericsson, Cisco, Broadcom, EMQ Technologies and Apache Software Foundation, among others.
  • Broadcom Brocade Fabric OS (FOS): CVE-2025-1976 (CVSS 6.7) is a Code Injection Vulnerability [CWE-94] both disclosed and actively exploited in April. FOS is a specialized firmware designed for managing Fibre Channel switches within Storage Area Networks (SANs). The flaw allows a local user with administrative privileges to execute arbitrary code with full root privileges.

New Windows Common Log File System Flaw Used in Ransomware Attacks

A new high severity vulnerability, CVE-2025-29824 (CVSS 7.8) identified in the Microsoft Windows Common Log File System (CLFS) driver allows privilege escalation for local authenticated attackers to gain SYSTEM level access. Furthermore, the vulnerability is being exploited globally in ransomware attacks [1][2], particularly by Storm-2460, to deploy PipeMagic malware payloads.

The Windows CLFS driver has a series of critical privilege escalation vulnerabilities that span multiple years and versions making it a persistent high-value target for attackers. Eight CVEs from 2019 through 2025 have been cataloged in the CISA KEV list with at least four – CVE-2023-28252, CVE-2023-23376, CVE-2022-24521 and CVE-2025-29824 mentioned above – known to be leveraged in ransomware campaigns.

Due to active exploitation of critical vulnerabilities in Microsoft products, it’s essential for organizations to verify that the latest Microsoft security updates have been applied across their IT infrastructure and monitor systems for Indicators of Compromise (IoC). Greenbone can detect vulnerability to all CLFS CVEs mentioned above and missing patch-levels for Microsoft Windows 10 (32-bit & x64), Windows 11 (x64) and Windows Server 2012–2025 endpoints via authenticated Local Security Checks (LSC).

Remote Code Execution Flaw Impacts Craft CMS

CVE-2025-32432 (CVSS 10) is a high impact Remote Code Execution (RCE) vulnerability in Craft CMS (Content Management System) that is considered trivial to exploit. Craft CMS is a website creation framework built on top of the Yii PHP framework. The CVE was reported by Orange Cyberdefense’s CSIRT who discovered it during an incident response. The flaw has been exploited in the wild. Also, technical details and PoC exploits [1][2] including a Metasploit module are publicly available, greatly increasing the threat. Craft CMS is used by prominent organizations including The New York Times, Amazon, Intel, Tesla, NBC, Bloomberg and JPMorgan Chase for creating custom e-commerce and content-driven websites.

Greenbone is able to detect web applications vulnerable to CVE-2025-32432 with an active check that sends a specially crafted POST request and analyzes the response. Craft CMS versions 3.x through 3.9.14, 4.x through 4.14.14, and 5.x through 5.6.16 are affected and users should upgrade to a patched version as soon as possible. If upgrade is not possible the vendor proposes implementing firewall rules to block POST requests to the `actions/assets/generate-transform` endpoint or installing the Craft CMS Security Patches library.

Dualing CVEs in CrushFTP Leveraged by Ransomware

CVE-2025-31161 (CVSS 9.8) poses a severe threat to CrushFTP users. The flaw is an authentication bypass vulnerability [CWE-287] in the HTTP Authorization header that allows remote unauthenticated attackers to authenticate as any existing user account (e.g., crushadmin). The flaw is being leveraged by the Kill threat actor among others in ongoing ransomware attacks.

CVE-2025-31161 affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. The vendor has released an advisory with updated instructions. Greenbone is able to detect CVE-2025-31161 with both an active check, and a version detection test.

Initially, this vulnerability was tracked with another identifier (CVE-2025-2825). When a third party CNA published it before, CrushFTP had the opportunity to assess the details. The premature disclosure forced CrushFTP to respond publicly before they had developed a patch. This incident highlights a significant risk: because CrushFTP was not a CVE Numbering Authority (CNA), it lacked the authority to assign CVE identifiers to its own products. Instead CrushFTP needed to rely on the third-party researchers who discovered the flaw to manage CVE disclosure.

In the CVE Program, a CNA can define its scope such that it may assign CVE IDs to vulnerabilities affecting its own products and restrict other parties from doing so. If an application’s vendor is a registered CNA, third-party security researchers must disclose their findings to the vendor directly, allowing more control over the timeline of events and a more strategic disclosure. Considering the risks, software vendors should consider becoming a registered CNA with MITRE’s CVE program.

Summary

April 2025 highlighted ongoing threats from edge device vulnerabilities, ransomware activity and newly exploited flaws in widely used software like Craft CMS, Microsoft CLFS and CrushFTP. These developments reinforce the need for organizations to maintain visibility over exposed assets, apply timely patches and stay vigilant against emerging threats that can escalate quickly from initial access to full compromise.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

Proactive Cybersecurity Reduces the Cost of a Breach

From a bird’s eye view, the cumulative cost of cyber-crime is estimated to reach 9.2 Trillion USD globally in 2024. According to the 2023 IBM X-Force Cost of a Data Breach Report, a single breach imposes an average of 4.45M USD of financial damage on a victim and while US firms incur more than double the global average, German organizations fared on par with the global average.

The most staggering costs are incurred by post-breach remediation activities such as incident response, digital forensics, system recovery, and mandatory disclosure reporting, while regulatory fines can also significantly add to cyber breach costs. Change Healthcare has forecasted an expected loss of 1.6B USD this year due to a breach that occurred in March 2024 and as discussed below, regulatory fines may be pending.

These potential damages highlight the importance of proactive security measures for preventing successful cyber attacks but also mitigating the financial impact should one occur​. The Ponemon Institute found that missing security patches accounted for 57% of cyber attacks. Getting breached less often is an obvious benefit of implementing preventative cybersecurity measures, but according to IBM, organizations with proactive risk-based vulnerability management (RBVM), also experience lower than average expenses post-breach (3.98M USD) compared to organizations without such measures (4.45M USD), those suffering from a skills shortage (5.36M USD), or those deemed non-compliant with cybersecurity regulations (5.05M USD).

Cost Of The Change Healthcare Post Ransomware Attack

In March, 2024 Change Healthcare suffered a ransomware attack that has so far burdened the company with roughly 872M USD in damages, and delayed 6B USD in health insurance payments. Change Healthcare forecasts an annual expected loss of 1.6B USD due to the incident. Established in 2007, Change Healthcare is a leading healthcare technology company selling revenue cycle management, payment accuracy, and clinical data exchange services globally​. A 2022 acquisition saw the company valued at 8B USD​.

HIPAA Compliance Investigation Into Change Healthcare

On top of that steep damage, the US HHS Office for Civil Rights, the entity responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA), has opened an investigation into the attack seeking to determine whether Change Healthcare violated its compliance requirements. The HIPAA Security Rules require covered entities to implement “recognized security practices” to protect ePHI against reasonably anticipated security threats.

Continuous vulnerability management activities are a fundamental component of all modern cybersecurity frameworks. If it can be called a bright side, the most severe penalties for HIPPA non-compliance are capped at a mere 2M USD; short change in comparison to the overall cost of response and recovery for this particular incident.

The Greenbone Vulnerability Management platform is capable of implementing customized compliance tests to meet any framework including CIS, DISA STIG, HIPAA, and more, and Greenbone is certified for both its information security management systems ISMS (ISO 27001), quality management (ISO 9000), and most recently, environmental management (ISO-14001).

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

April 2024 Threat Tracking: Record High For Security Vulnerabilities

April 2024 has compounded another record breaking month for CVE disclosure on top of the last. In this month’s threat tracking report we will investigate several new actively exploited vulnerabilities and quickly review the cyber breach of US R&D giant MITRE. The report will also uncover how end-of-life (EOL) products can have a detrimental impact on an organization’s cybersecurity posture and how to manage the associated risks.

MITRE Exploited Via Ivanti Secure Connect Vulnerabilities

The MITRE Corporation is a not-for-profit organization established in 1958, that operates multiple federally funded research and development centers (FFRDCs) to support the US national defense, cybersecurity, healthcare, aviation, and more. MITRE also maintains several core cybersecurity frameworks such as MITRE ATT&CK, D3FEND, and vulnerability resources including the Common Vulnerabilities and Exposures (CVE) database, the Common Weakness and Enumeration (CWE), and the Common Attack Path Enumeration (CAPEC).

A recent cyber breach of MITRE shows that even the most cyber savvy organizations are not immune to targeted attacks from Advanced Persistent Threats (APTs). Initial access to one of MITRE’s research networks was gained via two Ivanti Connect Secure VPN service vulnerabilities; CVE-2023-46805 (CVSS 8.2) and CVE-2024-21887 (CVSS 9.1). We previously published a full description of these vulnerabilities which can both be detected by Greenbone’s vulnerability tests. After initial access, attackers were able to pivot to adjacent VMware infrastructure [TA0109] using stolen session tokens [T1563] to bypass multi-factor authentication and access admin accounts.

If it can happen to MITRE it can happen to any organization, but patching known actively exploited vulnerabilities is a critical cybersecurity activity that all organizations need to place strong emphasis on.

Operation MidnightEclipse: Exploited PaloAlto Zero Day

On April 10 2024, exploitation of a yet-undiscovered zero-day vulnerability in the GlobalProtect feature of PaloAlto PAN-OS was detected and reported by researchers at cybersecurity firm Volexity. The vulnerability, now tracked as CVE-2024-3400 (CVSS 10), allows unauthenticated remote code execution (RCE) with root privileges, and has been added to the CISA KEV (Known Exploited Vulnerabilities) catalog. The Greenbone enterprise vulnerability feed includes tests to detect CVE-2024-3400 allowing organizations to identify affected assets and plan remediation.

PaloAlto’s Unit42 is tracking subsequent attacks under the name Operation MidnightEclipse and along with Shadowserver Foundation, and GreyNoise, have observed simple probes and full exploitation followed by data exfiltration and installation of remote command and control (C2) tools. Also, several proof of concept (PoC) exploits have been publicly disclosed [1][2] by third parties extending the threat by enabling attacks from low-skilled cyber criminals.

CVE-2024-3400 affects PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal. Hotfix patches PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3 are currently available to remediate affected devices without requiring a restart. A comprehensive guide for remediation is available in the Palo Alto Knowledge Base.

D-Link End-Of-Life Products Exploited Via Hardcoded Credentials

Two critical vulnerabilities have been discovered in NAS devices manufactured by D-Link, labeled as CVE-2024-3272 (CVSS 9.8) and CVE-2024-3273 (CVSS 9.8). The impacted devices include DNS-320L, DNS-325, DNS-327L, and DNS-340L, all of which have reached their end of support product lifecycle. According to D-Link patches will not be provided. Both CVEs are being actively exploited, and a proof of concept (PoC) exploit for CVE-2024-3273 is available online. Globally this affects an estimated 92,000 devices.

Vulnerable devices all contain a default administration account that does not require a password. Attackers can execute commands remotely by sending a specially crafted HTTP GET request to the /cgi-bin/nas_sharing.cgi URI on the NAS web-interface. Combined, the two vulnerabilities pose a severe risk, as they allow root remote code execution (RCE) without authentication on the target device [T1584]. This gives attackers access to potentially sensitive data [TA0010] stored on the compromised NAS device itself, but also a foothold on the victim’s network to attempt lateral penetration [TA0008] to other systems on the network, or launch attacks globally as part of a botnet [T1584.005].

Securing End-Of-Life (EOL) Digital Products

End-of-life (EOL) digital products demand special security considerations due to discontinued vendor support. Here are some defensive tactics for protecting EOL digital products:

  1. Risk Assessment: Conduct regular risk assessments to identify the potential impact of legacy devices on your organization, especially considering that newly disclosed vulnerabilities may not have vendor provided remediation issued.
  2. Vulnerability and Patch Management: Although EOL products may be officially unsupported by their vendors, in some emergency cases, patches are still issued. Vulnerability scanning and patch management help identify new vulnerabilities and allow defenders to seek guidance from the vendor on remediation options.
  3. Isolation and Segmentation: If possible, isolate EOL products from the rest of the network to limit their exposure to potential threats. Segmenting these devices can help contain security breaches and prevent them from affecting other systems.
  4. Harden Configuration and Policies: In some cases, additional policies or security measures such as removing Internet access altogether are appropriate to further mitigate risk.
  5. Update to Supported Products: Update IT infrastructure to replace EOL products with supported alternatives. Transitioning to newer technologies can enhance security posture and reduce the reliance on outdated systems.
  6. Monitoring and Detection: Implement additional monitoring and detection mechanisms to detect any suspicious activity exploitation attempts or attempts at unauthorized access to EOL products. Continuous monitoring can help identify malicious activity promptly and allow appropriate responses.

CVE-2024-4040 CrushFTP VFS Sandbox Escape Vulnerability

CISA has issued an order for all federal US government agencies to patch systems using CrushFTP service due to active exploitation by politically motivated hackers. Tracked as CVE-2024-4040 (CVSS 9.8), the vulnerability allows an unauthenticated attacker to access sensitive data outside of the CrushFTP’s Virtual File System (VFS) and achieve full system compromise. The vulnerability stems from a failure to correctly authorize commands issued via the CrushFTP API [CWE-1336].

CrushFTP is a proprietary file transfer software designed for secure file transfer and file sharing. It supports a wide range of protocols, including FTP, SFTP, FTPS, HTTP, HTTPS, WebDAV, and more. The vulnerability lies in CrushFTP’s Java web-interface API for administering and monitoring the CrushFTP server.

CrushFTP said there is no way to identify a compromised instance from inspecting the application logs. It turned out that CVE-2024-4040 is trivial to exploit and publically available exploits are available, greatly increasing the risk. Greenbone’s Enterprise feed includes a vulnerability test to identify the HTTP header sent by vulnerable versions of CrushFTP.

There are an estimated 6,000 publicly exposed instances of CrushFTP in the US alone and over 7,000 public instances globally. CVE-2024-4040 impacts all versions of the application before 10.7.1 and 11.1.0 on all platforms, and customers should upgrade to a patched version with urgency.

Summary

April 2024 was a record breaking month for CVE disclosure and new cybersecurity challenges, including several high-profile incidents. Ivanti’s Secure Connect VPN was used to gain unauthorized access to MITRE’s development infrastructure leading to internal network attacks.

Various politically motivated threat actors were observed exploiting a zero-day vulnerability in Palo Alto’s PAN-OS now tracked as CVE-2024-3400, and two new critical vulnerabilities in EOL D-Link NAS devices highlight the need for extra security when legacy products must remain in active service. Also, a critical vulnerability in the CrushFTP server was found and quickly added to CISA KEV forcing US government agencies to patch with urgency.

Contact Test Now Buy Here Back to Overview

/by