A critical unauthenticated HTTP(S) port access vulnerability in CrushFTP “could be exploited by remote, unauthenticated attackers to access vulnerable internet-facing servers (and likely the data stored on them).” The flaw affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. CrushFTP notified users of the vulnerability by email on March 21 and urges users to update their servers as soon as possible. CrushFTP also notes that “some versions of CrushFTP had a problem applying an update automatically. They would fail to rename “.jar” files on Windows operating systems.” The company’s write-up provides instructions for addressing this update bug. Ref https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
