| At line 1 changed 5 lines |
| !!!Minimum safe CrushFTP version is 10.5.6. (Regularly updating is critical and we make that as easy as possible.)\\ |
| Video covering the simple update process: [https://youtu.be/2pKyYxGJEwE]\\ |
| ---- |
| !!REGARDING 10.5.6 and the recent global SSH vulnerability which also affected CrushFTP! (not CrushFTP specific, but we are affected just like most other server vendors) |
| Read more about it here: [https://eprint.iacr.org/2023/1711.pdf]\\ |
| !!!__CrushFTP 11.0.0 to 11.3.0 are vulnerable. Update to 11.3.1+ immediately.__ |
| !!!__CrushFTP 10.0.0 to 10.8.3 are vulnerable. Update to 10.8.4+ immediately.__ |
| !!![Some guidance on detection and what to do if compromised...|Compromise] |
| At line 7 changed 2 lines |
| !!REGARDING THE RECENT VULNERABILITY ANNOUNCEMENT NOVEMBER 16, 2023! |
| If your CrushFTP is lower than 10.5.5, you are vulnerable to an exploit that was responsibly disclosed. It is not known to be in he wild, but its severe and everyone must update immediately. All versions of CrushFTP...v4/v5/v6/v7/v8/v9/v10 were affected by this. CrushFTP v11 is not affected by this as it has been patched before its first public release. One part of the vulnerability allows an attacker to gain access simply by knowing the admin username, and the other parts when used together allows an attacker who has a non privileged account to gain access to files outside their VFS which can then be in turn used to login as a more privileged user. CVE release is pending. Credit goes to the UK NCSC.\\ |
|
| !!!__Automated Updating__ |
| Setting the flag "daily_check_and_auto_update_on_idle" to true in prefs.XML of CrushFTP v11.2.3_19+ will do automated daily checks and updates. |
|
| !!!__Update Bug on Windows__ |
| Some versions of CrushFTP had a problem applying an update automatically. They would fail to rename ".jar" files on Windows operating systems. They would instead leave behind ".jar_tmp" files needing the "_tmp" manually removed from them. This has been fixed for a while, but if you are still on one of these older builds, you will be affected the next time you attempt the update. So you need to fix the jar filenames one time manually. Example: CrushFTP.jar_tmp -> CrushFTP.jar. Same for all other jars in plugins, plugins/lib folder, and the WebInterface folder has CrushTunnel.jar. Do all 3 locations entirely. |
| At line 10 removed one line |
| !!REGARDING THE RECENT VULNERABILITY ANNOUNCEMENT AUGUST 10, 2023! (CVE-2023-43177) |
| At line 12 changed 2 lines |
| If your CrushFTP version is less then 10.5.1, you are vulnerable. No exception. Look at your version number on the dashboard, and it must be 10.5.1 or higher to be safe. For reference, v6, v7, v8,v9...those numbers are less than v10.5.1. Yes, they are vulnerable! Anything below 10.5.1 is vulnerable.\\ |
| This vulnerability is critical because it does NOT require any authentication. It can be done anonymously and steal the session of other users and escalate to an administrator user. Its critical everyone updates ASAP! 10.5.2 changes other defaults related to loading DB drivers that are not in your classpath has also changed. This means if your DB drivers are not part of your plugins/lib folder, they will not be loaded by CrushFTP. (Statistics DB if you changed it, SQL Users if you are using that, etc.)\\ |
| !!Vulnerability Info |
| __March 21, 2025 - Unauthenticated HTTP(S) port access on CrushFTPv10/v11 (CVE: CVE-2025-31161)__\\ |
| This issue affects both CrushFTP v10 and v11. The exploit does not work if you have the [DMZ] proxy instance of CrushFTP in place. The vulnerability was respnsibly disclosed, it is not being used actively in the wild that we know of, no further details will be given at this time. (CVE-2025-0282 appears to be a copycat CVE issued automatically by an unaffiliated company.)\\ |
| 10.8.4 and 11.3.1 were published on 3/21/2025 and your CrushFTP instances would have notified you within a day of the new version if you are not blocking access to our update servers. Staying up to date is critical on an internet facing server. |
| ---- |
| November 11th, 2024 - (CVE-2024-53552 - CREDIT: Stratascale Cyber Research Unit)\\ |
| V10 versions below 10.8.3 and V11 versions below 11.2.3 are vulnerable to a password reset email exploit. If an end user clicks the link, their account is compromised.\\ |
| Once you update you must configure your allowed email reset URL domains.\\ |
| v10:Preferences, WebInterface, MiniURL: Set an allowed list of domains, comma separated.\\ |
| v11:Preferneces, WebInterface, Login Page: Set a domain pattern that is not just '*' as a '*' is no longer allowed.\\ |
| ---- |
| October 10, 2024 - (CVE-2024-11986 credit European Commission, Application Security Testing Services) \\ |
| XSS bug fixed in CrushFTP 10.8.2 and 11.2.1. |
| ---- |
| April 19th, 2024 - (CVE-2024-4040)\\ |
| CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files. This has been patched in v11.1.0. Customers using a [DMZ] in front of their main CrushFTP instance are partially protected with its protocol translation system it utilizes. A DMZ however does not fully protect you and you must update immediately. (CREDIT:Simon Garrelou, of Airbus CERT)\\ |
| ---- |
| At line 15 changed 3 lines |
| __IMPORTANT: due to the security updates since CrushFTP version 10.5.2+ any JDBC driver jar file needs to be placed into the CrushFTP10/plugins/lib/ directory, or it won't load. In case of a server previously configured using an external SQL user DB, this new feature prevents access on next launch, will need to move the jar file, then edit prefs.XML, update the <db_driver> key value like\\ |
| {{{<db_driver>./mssql-jdbc-12.4.0.jre11.jar</db_driver>}}} |
|
| !!FAQ: |
| •If I'm on v10.8.4+...do I need to upgrade to v11? No, 10.8.4+ are safe.\\ |
| •If I'm on v10.6.1, or v10.3, or v10.5.5, am I vulnerable? Yes! Update immediately to 10.8.4+ or v11.3.1+.\\ |
| At line 35 added one line |
| ---- |
| At line 20 changed one line |
| !!Updating CrushFTP v10 |
| !!Updating CrushFTP v11 |
| At line 32 changed 2 lines |
| 1.) Download CrushFTP10.zip from our download page. ([https://www.crushftp.com/early10/CrushFTP10.zip|https://www.crushftp.com/early10/CrushFTP10.zip])\\ |
| 2.) Give it the specific name `CrushFTP10_new.zip` and place this in the CrushFTP main folder. (Same location where you have your prefs.XML file)\\ |
| 1.) Download CrushFTP11.zip from our download page. ([https://www.crushftp.com/early11/CrushFTP11.zip|https://www.crushftp.com/early11/CrushFTP11.zip])\\ |
| 2.) Give it the specific name `CrushFTP11_new.zip` and place this in the CrushFTP main folder. (Same location where you have your CrushFTP.jar file)\\ |
| At line 35 changed 2 lines |
|
|
| \\ |
| \\ |
| !Fully manual offline update: |
| In some rare scenarios when neither of the above methods work, like file permissions prevent consuming the update file or overwriting the necessary components by the updater. In such case: |
| 1.) Download CrushFTP11.zip from our download page. ([https://www.crushftp.com/early11/CrushFTP11.zip|https://www.crushftp.com/early11/CrushFTP11.zip])\\ |
| 2.) Unzip it to a temporary directory\\ |
| 3.) Stop the CrushFTP service |
| 4.) Copy over the installation the full content or just the __CrushFTP.jar__ file and the __plugins and WebInterface__ subdirectories as these are. Overwrite all when prompted.\\ |
| 5.) Start the Crush service. Once back on line, clear the browser cache or check with an incognito/private browser session. \\ |
| \\ |
| ---- |
| \\ |
| At line 43 changed one line |
| !Changelog: [https://www.crushftp.com/version10_build.html]\\ |
| ---- |
| !Changelog: [https://www.crushftp.com/version11_build.html]\\ |
| ---- |
| At line 45 changed one line |
| !!Updating an old CrushFTP v9 |
| !!Updating an old CrushFTP v10,v9 and prior |
| At line 47 changed one line |
| You need a v10+ license code first! If you are an enterprise customer, contact us for your code. Its free if your maintenance is current. |
| You need a v11 license code first! If you are an enterprise customer, contact us for your code. Its free if your maintenance is current. |
|
| \\ |
| All prior versions of CrushFTP were also affected by this most recent vulnerability.\\ |
| CrushFTP v10 info: [https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update]\\ |
