CrushFTP v11 Virtual File System Escape Vulnerability


Published on Apr 21, 2024   —   2 min read

On April 19, 2024, a significant vulnerability was disclosed in CrushFTP v11, which could potentially allow users to escape their virtual file system (VFS) and download system files. This vulnerability has been addressed in version 11.1.0. This post aims to provide a comprehensive overview of the vulnerability, detail the updating process, and recommend security measures.

Description of the Vulnerability

CrushFTP v11 versions prior to 11.1 were found vulnerable to a security flaw where users could bypass the VFS restrictions designed to confine their access. This flaw could lead to unauthorized access to sensitive system files, posing a substantial security risk.

Patch and Protection Measures

The vulnerability has been patched in CrushFTP v11.1.0. Users operating a Demilitarized Zone (DMZ) in front of their main CrushFTP instance have additional protection through the protocol translation system utilized by the DMZ, which mitigates potential exploits.

How to Update CrushFTP v11

To secure CrushFTP environments against this vulnerability, users should update their software to version 11.1.0 by following these steps:

  • Login: Use the "crushadmin" equivalent user credentials to access the dashboard via the WebInterface.
  • Navigate: Go to the 'About' tab.
  • Update: Select 'Update', then 'Update Now'.
  • Process: The update will automatically download and install, which takes approximately 5 minutes. CrushFTP will restart automatically once the update is complete.

Offline Update Installation

For servers without direct internet access:

  • Download: Obtain the file from the CrushFTP download page.
  • Prepare: Rename the downloaded file to and place it in the main CrushFTP folder.
  • Install: Follow the same update steps as the online process; the system will use the local ZIP file.

Restoring from Backup

In case of issues or regression in functionality post-update:

  • Restore Files: Revert to the backed-up versions of the CrushFTP.jar, plugins folder, and CrushTunnel.jar file located in the WebInterface folder.

Changelog and Further Information

The detailed changelog for CrushFTP v11.1 can be found at CrushFTP Version 11 Build.

Recommendations for Organizations Using Previous Versions

Organizations using versions prior to CrushFTP v11 must upgrade to the latest release to secure their systems against this and potentially other undisclosed vulnerabilities. Enterprise customers should contact support for a free v11 license if their maintenance is current.


This vulnerability was identified and reported by Simon Garrelou of Airbus CERT, highlighting the critical role of community contributions in cybersecurity.


This vulnerability highlights the necessity of regular software updates as part of an organization’s security strategy. By adhering to the recommended update procedures and maintaining vigilance in security practices, organizations can protect their data and systems effectively against emerging threats.

For additional support and more detailed instructions, users and administrators are advised to consult the official CrushFTP documentation and support channels.

Share on Facebook Share on Linkedin Share on Twitter Send by email

Subscribe to the newsletter

Subscribe to the newsletter for the latest news and work updates straight to your inbox, every week.