CVE-2023-43177

CRITICAL EXPLOITED IN THE WILD NUCLEI

CrushFTP Unauthenticated RCE

Title source: metasploit

Exploitation Summary

CVE-2023-43177 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 2 public exploits from researchers including the-emmons, Ryan Emmons, Christophe De La Fuente, including a Metasploit module exploits/multi/http/crushftp_rce_cve_2023_43177. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2023-43177, targeting CrushFTP versions below 10.5.2. The exploit demonstrates an authentication bypass, session hijacking, and privilege escalation leading to remote code execution (RCE).

Description

CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.

Exploits (2)

nomisec WORKING POC 17 stars

by the-emmons · remote

https://github.com/the-emmons/CVE-2023-43177

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-43177, targeting CrushFTP versions below 10.5.2. The exploit demonstrates an authentication bypass, session hijacking, and privilege escalation leading to remote code execution (RCE).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: CrushFTP < 10.5.2

No auth needed

Prerequisites: Network access to the CrushFTP web interface · CrushFTP version < 10.5.2

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1078 - Valid Accounts T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Ryan Emmons, Christophe De La Fuente · rubypocjava

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/crushftp_rce_cve_2023_43177.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2023-43177, an unauthenticated RCE vulnerability in CrushFTP versions prior to 10.5.1, by manipulating session properties via crafted HTTP headers to achieve remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: CrushFTP < 10.5.1

No auth needed

Prerequisites: Network access to CrushFTP web interface (default port 8080)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution

CRITICALby iamnoooob,rootxharsh,pdresearch

Shodan: http.html:"crushftp"

FOFA: body="crushftp"

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/

Third Party Advisory

https://github.com/the-emmons/CVE-Disclosures/blob/main/Pending/CrushFTP-2023-1.md

View Writeup ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.8180

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2024-03-21

InTheWild.io 2023-03-24

CWE

CWE-913

Status published

Products (1)

crushftp/crushftp < 10.5.2

Published Nov 18, 2023

Tracked Since Feb 18, 2026