CrushFTP customers have been warned to patch an actively exploited vulnerability that allows attackers to download system files. In an advisory dated April 19, 2024, the file transfer company said that CrushFTP v11 versions below 11.1 contain the flaw, which enables users to escape their virtual file system (VFS) and download system files.
Source: Infosecurity