Table of Contents
  • Home
  • /
  • Blog
  • /
  • A Critical Virtual Filesystem Escape Vulnerability in CrushFTP - Update ASAP
April 23, 2024

A Critical Virtual Filesystem Escape Vulnerability in CrushFTP - Update ASAP

A Critical Virtual Filesystem Escape Vulnerability in CrushFTP

On April 19, 2024, Simon Garrelou from Airbus CERT disclosed a critical Virtual Filesystem Escape Vulnerability in CrushFTP and reported it to the vendor. At the time of writing this post, the vulnerability has not been assigned a CVE ID. According to the advisory, if exploited, this VFE Vulnerability in CrushFTP could allow users to escape their virtual filesystem (VFS) and download sensitive system files. This blog post will delve into the details of CrushFTP, the affected versions, the potential impact of the vulnerability, and the steps users should take to mitigate the risk.

A Short Introduction About CrushFTP

CrushFTP is a versatile and user-friendly file transfer server that supports a wide range of protocols, including FTP, SFTP, HTTP, and WebDAV. It offers a secure and efficient way to transfer files between clients and servers, with advanced features such as user management, virtual file system, encryption, and more. CrushFTP is available for Windows, macOS, and Linux platforms and is widely adopted by businesses and individuals for their file transfer needs. Its robustness and ease of use have made it a popular choice in various industries.

Affected Versions of CrushFTP

According to the advisory, the Virtual Filesystem Escape Vulnerability in CrushFTP affects the following versions:

  • CrushFTP v11 versions below 11.1

  • CrushFTP v10.6.1 and below

  • CrushFTP v10.3 and below

  • CrushFTP v10.5.5 and below

If you are running any of these affected versions, it is crucial to update to the patched version as soon as possible to prevent potential exploitation of this VFE Vulnerability in CrushFTP.

How to Fix the Flaw?

The CrushFTP vendor has promptly addressed this critical Virtual Filesystem Escape Vulnerability by releasing a patched version, v11.1.0. To fix the vulnerability and secure your CrushFTP server, it is imperative to update to this latest version immediately. The vendor has provided detailed instructions on how to perform the update, which we will cover in the next section.

How to Update CrushFTP?

Updating CrushFTP to the patched version is a straightforward process that can be done either online or offline. Here's a step-by-step guide for both methods:

Online Update

  1. Log in to the CrushFTP dashboard using your "crushadmin" equivalent user in the WebInterface.

  2. Navigate to the "About" tab.

  3. Click on the "Update" button, followed by "Update Now".

  4. Wait for approximately 5 minutes while the files are downloaded, unzipped, and copied into place. CrushFTP will automatically restart once the update is complete.

Offline Update

  1. Download the latest version of CrushFTP ( from the official download page.

  2. Rename the downloaded file to and place it in the main CrushFTP folder (the same location where you have your prefs.XML file).

  3. Follow the normal online update instructions above, and CrushFTP will use your local offline zip file for the update.

It is also essential to create a backup of your current CrushFTP installation before updating, just in case you need to restore it due to any issues or regressions in functionality. CrushFTP automatically creates a backup of its core files in the backup folder within the CrushFTP directory.


The Virtual Filesystem Escape Vulnerability in CrushFTP is a critical security flaw that could lead to unauthorized access to sensitive system files. It is crucial for all CrushFTP users to update their installations to the patched version (v11.1.0) immediately to mitigate the risk of exploitation. By following the update procedures outlined in this post, you can ensure the security and integrity of your CrushFTP server and protect your valuable data from potential threats.

Stay vigilant, keep your software up to date, and always prioritize security in your file transfer operations. If you have any further questions or concerns, don't hesitate to reach out to the CrushFTP support team for assistance.

We hope this post helps you know about recently disclosed critical Virtual Filesystem Escape Vulnerability in CrushFTP. Thanks for reading this post. Please share this post and help secure the digital world.Visit our website, and our social media page on FacebookLinkedInTwitterTelegramTumblrMedium, and Instagram and subscribe to receive updates like this.

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Cloud & OS Platforms

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription