CVE-2023-43177
CRITICAL EXPLOITED IN THE WILD NUCLEICrushFTP Unauthenticated RCE
Title source: metasploitDescription
CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
Exploits (2)
metasploit
WORKING POC
EXCELLENT
by Ryan Emmons, Christophe De La Fuente · rubypocjava
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/crushftp_rce_cve_2023_43177.rb
Nuclei Templates (1)
CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution
CRITICALby iamnoooob,rootxharsh,pdresearch
Shodan:
http.html:"crushftp"
FOFA:
body="crushftp"
Scores
CVSS v3
9.8
EPSS
0.7682
EPSS Percentile
99.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2024-03-21
InTheWild.io
2023-03-24
CWE
CWE-913
Status
published
Products (1)
crushftp/crushftp
< 10.5.2
Published
Nov 18, 2023
Tracked Since
Feb 18, 2026