Category Archives: CVE

CVE, Knowledge, News

Over 1,000 CrushFTP Servers Targeted in Active Exploits of Zero-Day Vulnerability

Security researchers have sounded the alarm over ongoing attacks targeting over 1,000 publicly accessible CrushFTP servers. The attacks exploit a zero-day vulnerability that enables unauthenticated remote code execution (RCE), allowing attackers to hijack entire servers without credentials.

If you’re running an unpatched CrushFTP instance exposed to the internet, you may already be compromised.

The Vulnerability – CVE-2024-4040

The zero-day, now assigned CVE-2024-4040, affects multiple versions of CrushFTP, a widely-used commercial file transfer server for Windows, Linux, and macOS.

Exploiting this flaw allows a remote attacker to:

  • Access sensitive files (e.g., settings, sessions, or credentials)
  • Achieve remote code execution on the system
  • Fully hijack or persistently backdoor the server

Researchers warn that threat actors are actively exploiting this flaw in the wild.

Global Exposure

Security firm Shadowserver reports that more than 1,200 vulnerable CrushFTP servers remain exposed online, across:

  • US
  • Germany
  • Russia
  • Japan
  • France
  • And more…

This includes government agencies, corporations, and academic institutions.

🛡️ Fixes Are Available – Act Now

The CrushFTP team released patched versions (v10.7.1 and later). Admins are urged to:

  • Update immediately to the latest stable version
  • Review server logs for signs of unauthorized access
  • Isolate compromised systems from the network
  • Rotate credentials and tokens if exploitation is suspected

Official patch and changelog: crushftp.com

Lessons Learned

This attack wave reinforces several key points:

  • Zero-days can hit any vendor — even commercial, “secure” software
  • Publicly exposed admin interfaces are high-risk vectors
  • Regular patching and log monitoring are critical to survival

⚠️ If you’re using CrushFTP and haven’t patched yet, your system could already be in attacker hands.

Source:

BleepingComputer –
“Over 1,000 CrushFTP servers exposed to ongoing hijack attacks”
https://www.bleepingcomputer.com/news/security/over-1-000-crushftp-servers-exposed-to-ongoing-hijack-attacks/

Article, CVE, News

Wing FTP Server Under Active Attack — Critical RCE Vulnerability CVE-2025-47812

A critical pre-auth remote code execution (RCE) vulnerability in Wing FTP Server, tracked as CVE-2025-47812, is now being exploited in the wild, with attackers targeting publicly exposed systems.

The vulnerability affects Windows, Linux, and macOS versions of Wing FTP Server prior to v7.3.1, and allows unauthenticated attackers to run arbitrary system commands via crafted HTTP requests.

About CVE-2025-47812

  • Severity: Critical (CVSS v3: 9.8)
  • Type: Pre-authentication Remote Code Execution
  • Affected software: Wing FTP Server < v7.3.1
  • Exploit vector: Malicious HTTP request to the web-based admin interface (port 5466)

Security firm Rapid7 discovered the flaw and reports active exploitation in the wild. outlining the vulnerability and its impact.

Real-World Exploits Confirmed

Researchers observed attackers leveraging this vulnerability in real-world intrusions. Public proof-of-concept exploits are also available, increasing the risk of widespread abuse.

“It’s being exploited right now — if you run Wing FTP and haven’t patched, you are at serious risk,” warns Rapid7.

🛠️ Immediate Action Required

Update to v7.3.1 or later from the official Wing FTP site:

🔗 Download the patch (v7.3.1)

Temporary Mitigation (if patching isn’t possible yet)

  • Restrict external access to the admin interface (default: TCP 5466)
  • Apply strict IP filtering or tunnel access through VPN
  • Monitor for unauthorized access or new user creation
  • Enable and review detailed server logs

Final Recommendations

  • Patch immediately to Wing FTP Server v7.3.1
  • Never expose admin interfaces directly to the internet
  • Stay updated with CVE feeds and vendor advisories
  • Treat this as an active threat, not just a theoretical risk

🔐 Don’t wait until it’s too late. Patch CVE-2025-47812 now.

CVE, News

CVE-2025-33053 & Stealth Falcon’s Espionage Campaign: Everything You Need to Know

CVE-2025-33053 & Stealth Falcon’s Espionage Campaign: Everything You Need to Know

A critical zero-day vulnerability, CVE-2025-33053, has recently been exploited in the wild by the APT group known as Stealth Falcon (also identified as “FruityArmor”). This attack targets a flaw in Windows’ WebDAV implementation and employs sophisticated payloads—including a custom implant dubbed Horus Agent. Here’s a full breakdown and advice on how to safeguard your systems.

🕵️ Who is Stealth Falcon?
Stealth Falcon is an Advanced Persistent Threat (APT) group active since at least 2012, known for targeting government and defense organizations—primarily in the Middle East and Africa

Also referred to as “FruityArmor,” the group is believed to have backing ties to the UAE

Vulnerability Overview: CVE-2025-33053
Type: Remote Code Execution (RCE) in Windows’ WebDAV via manipulation of the working-directory during execution

CVSS Score: 8.8 (High severity)

Attack Vector: A phishing-based .url shortcut triggers a legitimate Windows tool (e.g., iediagcmd.exe) to run malicious executables hosted on attacker-controlled WebDAV servers

Microsoft released a patch for this flaw on June 10, 2025, even extending updates to legacy systems like Windows 8 and Server 2012

.

Attack Kill Chain
Phishing delivery: A .url file disguised as a PDF (e.g., TLM.005_…pdf.url) tricks recipients into clicking a malicious link

Remote executable hijack: Using Windows’ working-directory resolution, iediagcmd.exe launches a malicious route.exe hosted on WebDAV

Loader deployment: route.exe, the Horus Loader, uses code virtualization to evade detection, displays decoy docs, and drops the payload

Implant installation: The final payload, Horus Agent, a custom C++ implant built on the Mythic C2 framework, enables system fingerprinting, shellcode injection, backdoor communication, keylogging, and credential theft

Who’s at Risk?
High-value targets: Defense and government entities in the Middle East (e.g., Turkey, Qatar, Egypt, Yemen)

Broader threat: Now that the patch is public, cybercriminals may begin exploiting the vulnerability more widely—including ransomware actors

🛡️ How to Protect Yourself
1. Patch Immediately
Apply Microsoft’s June 10, 2025 update for CVE‑2025‑33053—available even for legacy Windows versions
darkreading.com

2. Limit .url/.lnk Exposure
Block execution of .url, .lnk, .cpl files from email/download folders using Group Policy, AppLocker, or WDAC
ampcuscyber.com
.

Train users to recognize suspicious shortcuts disguised as attachments.

3. Restrict WebDAV Access
Monitor or block connections to unknown WebDAV servers on port 443.

Detect when trusted Windows tools spawn from non-standard working directories
kaspersky.com

4. Deploy Defense-in-Depth
Use threat emulation, intrusion prevention systems, and endpoint protection (e.g., Check Point Harmony, PTR IPS)
research.checkpoint.com

Monitor logs for unusual service installations (Event ID 7045), creation of PDF or VHD files, or .url files launching legitimate processes – indicators include filenames like TLM.005_*.pdf, %TEMP%\…vhdx, ds_notifier, etc.

5. Incident Response & Visibility
Watch for new executables named route.exe, unusual file drops, or anomalous behavior from Edge/IE diagnostic tools.

Keep threat intelligence feeds up-to-date with IOCs like URL hashes provided by Check Point.

Summary
CVE-2025-33053, exploited by Stealth Falcon, is a potent zero-day involving deceptive shortcut files and a sophisticated implant deployment pipeline culminating in the stealthy Horus Agent. If you haven’t already, patch now, enforce strict execution controls, and monitor your network for signs of exploitation.

Need help with implementation or want a deeper technical breakdown? Just reach out or leave a comment!

How it works: