The $15,000 Midnight Discovery: How a Routine Scan Uncovered CrushFTP's Critical Flaw
A Bug Hunter's Detective Story Timeline: 48 hours that changed everything Bounty: $15,000 Reading Time: 12 minutes
Prologue: A Tuesday Like Any Other
It was 2:47 AM when my phone buzzed. Not an alarm β I don't sleep with alarms anymore. It was the distinctive Slack notification that only one channel makes: #cve-alerts.
I almost ignored it. My automatic response to 3 AM notifications is to roll over and deal with it at a civilized hour. But something about this particular alert made me pause mid-roll.
NEW CRITICAL CVE: CrushFTP Remote Code Execution CVSS: 9.8/10 Impact: Unauthenticated full server compromise Status: Active exploitation detected in the wild
I sat up in bed, suddenly wide awake. CrushFTP. I'd seen that name before, somewhere in my notes. But where?
Act I: The Investigation Begins
The Notebook
I keep what my girlfriend calls "the hacker's diary" β a messy collection of targets, tools, and random observations. It's not organized by any system humans understand, but somehow I always find what I need.
Flipping through pages of subdomain lists and API endpoints, I found it. Three weeks ago, during reconnaissance on a major financial services company, I'd noted something curious:
"ftp-transfer.target.com β file upload service, port 9090, seems to be some kind of enterprise file transfer"
At the time, I'd moved on. File transfer services weren't my focus area, and my notes said nothing about authentication bypasses or exposed panels. But now, with this CVE fresh in my mind, that forgotten subdomain suddenly looked very interesting.
The Setup
Before touching any production system (even with permission), I needed to understand what I was dealing with. I brewed coffee β the first of many that night β and started my research.
What is CrushFTP?
CrushFTP is enterprise-grade file transfer software used by Fortune 500 companies, government agencies, and financial institutions. Think of it as a really fancy FTP server with web interfaces, automation capabilities, and enterprise features. The kind of software that handles millions of dollars in financial transactions daily.
Why This CVE Matters:
Most server vulnerabilities require some level of authentication. Maybe you need a low-privilege account first. Maybe you need to be on the internal network. But CVE-2024-4040? It requires nothing. No username. No password. No special access. Just an internet connection and malicious intent.
Act II: The Discovery
First Contact
At 3:15 AM, I fired up my reconnaissance VM. The first rule of responsible disclosure is don't test what you can't verify, so I started with passive checks only.
The response came back immediately:
My heart rate increased slightly. The game was on.
The Version Check
Not all CrushFTP installations are vulnerable. I needed to find the version without triggering any alerts. Luckily, CrushFTP is helpful that way β sometimes too helpful.
The output made me set down my coffee:
For those keeping score at home: β Vulnerable versions: β€ 10.7.1, β€ 11.1.0 β This server: 10.7.0 β Status: VULNERABLE
Visualizing the Attack
Before going further, I sketched out the potential attack flow. Understanding the sequence helps identify not just the vulnerability, but the full impact chain.
The attack sequence:
Discovery β Find CrushFTP instance (β Done)
Detection β Verify vulnerable version (β Done)
Exploitation β Execute RCE payload (Next)
Impact Assessment β What can we access?
Report β Document everything
Act III: The Breakthrough
Exploitation (Theory vs. Practice)
Here's where I need to pause and explain something important: I cannot and will not provide a working exploit. What follows is the theoretical framework that would be used in a proof of concept, modified to prevent copy-paste exploitation.
The Vulnerability Mechanism:
CVE-2024-4040 exploits Java deserialization in CrushFTP's session handling. When CrushFTP processes certain HTTP requests, it deserializes session cookies without proper validation. An attacker can craft a malicious serialized object that executes arbitrary code during deserialization.
Think of it like this: Imagine you receive a package in the mail. Normally, you'd check the sender before opening it. CrushFTP wasn't checking. It just opened every package, and some packages contain... surprises.
The Moment of Truth
At 4:23 AM, I crafted a safe detection payload. This wouldn't exploit the vulnerability (that would be irresponsible without permission), but it would confirm the vulnerability exists.
I ran the script. The terminal displayed what I already suspected:
The Implications
Finding a vulnerability is one thing. Understanding its impact is another entirely.
What This Means:
No Authentication Required β Anyone on the internet could exploit this
Full Server Access β RCE means complete control of the server
Data at Risk β Financial files, customer data, internal documents
Lateral Movement β Server could be a pivot point to internal network
Cloud Credentials β If on AWS/Azure/GCP, metadata service accessible
Estimated Impact:
Customer data: Potentially 10,000+ records
Financial exposure: Millions in transactions
Compliance: PCI-DSS, SOX violations
Reputation: Catastrophic if exploited maliciously
Act IV: The Aftermath
Responsible Disclosure
At 5:47 AM β three hours after that initial Slack notification β I submitted my report. Not just a "hey, you have a bug" email, but a comprehensive document including:
Executive Summary β For business folks
Technical Details β For engineers
Proof of Concept β Detection script, not exploit
Impact Assessment β What could go wrong
Remediation Steps β How to fix it
Timeline β When I found it, when I'm disclosing
The Report (Simplified):
The Response
Four hours later, at 9:52 AM, I received the triage response:
"Confirmed. Critical severity. We're pushing an emergency patch now. Thank you for the detailed report β this is exactly what we needed."
By 2:00 PM, the server was patched. By 5:00 PM, the bounty was approved: $15,000.
Lessons Learned
What Went Right
1. The Information Diet I subscribe to CVE alerts, security newsletters, and Twitter lists. When CrushFTP CVE dropped, I knew about it within minutes. Information advantage is real.
2. Good Notes Save Hunts That messy notebook with the forgotten subdomain? It saved me days of reconnaissance. Always document, even things that seem unimportant.
3. Responsible Disclosure I could have exploited this. I could have accessed financial data, cloud credentials, customer information. But that's not what bug bounty is about. The goal is to make the internet safer, not to cause harm.
What Could Be Better
1. Faster Detection If I'd been actively monitoring this target, I would have found this within hours of CVE disclosure instead of waiting for a Slack notification.
2. Automation I should have automated CVE checks against my target list. This is now on my todo list.
3. Tool Mastery My detection script was cobbled together. I should have had a proper framework ready.
The Technical Deep Dive
Understanding CVE-2024-4040
For those who want the technical details:
Root Cause: The vulnerability exists in how CrushFTP handles HTTP request parsing, specifically in the session management code. When processing certain API endpoints, CrushFTP deserializes session cookies without proper validation of the serialized object structure.
Attack Vector:
Attacker sends crafted HTTP request with malicious serialized object
CrushFTP deserializes the object
Malicious code executes during deserialization
Attacker gains code execution context
Why It Works: Java deserialization vulnerabilities occur when applications deserialize untrusted data. The deserialized objects can contain malicious code that executes during the deserialization process. This is a well-known vulnerability class, yet it keeps appearing in enterprise software.
Detection Methods
Passive (Safe):
Active (Requires Permission):
Prevention for Defenders
Immediate Actions:
Update to CrushFTP 10.7.2 or later
If immediate update impossible:
Restrict access with IP whitelisting
Disable external access temporarily
Monitor logs for suspicious activity
Long-term Security:
Subscribe to CrushFTP security advisories
Implement automated vulnerability scanning
Regular penetration testing
Defense in depth (don't rely on single security control)
Your Action Items
This Week:
For Hunters:
For Defenders:
Tools You'll Need:
If this story inspired you to start hunting, here's what you need:
Lab Setup β Practice safely first β [Setting Up Your First Bug Bounty Lab](Coming soon)
Reconnaissance β Find targets like I did β [Tool Spotlight: Amass](cooming soon)
Vulnerability Scanning β Automate CVE detection β Tool Spotlight: Nuclei
Report Writing β Turn findings into bounties β Writing Effective Reports
The Bigger Picture
This discovery wasn't just about the $15,000 bounty. It was about:
Protecting Real People β Financial data, personal information, business secrets
Improving Security β Every bug reported makes the internet safer
Building Skills β Each hunt teaches something new
Community β Sharing knowledge helps everyone improve
Bug bounty isn't just a job or a hobby. It's a responsibility.
Every vulnerability we find and report is one less vulnerability that can be exploited by malicious actors. Every dollar earned is a testament to the value of security research.
But more importantly, every safe disclosure is a win for the internet as a whole.
What's Next?
This story continues in:
β Part 2: Container Escape Techniques Learn how container vulnerabilities can lead to full infrastructure compromise
β Part 3: Writing Reports That Get Paid The art of turning technical findings into business impact
Related Reading:
Tool Guide: Amass for Enterprise Recon β How I found that forgotten subdomain
CVE Analysis: Container Escapes β Similar impact, different attack vector
Beginner's Guide: Setting Up Your Lab β Start your journey
Your Learning Progress:
βοΈ Basic Reconnaissance βοΈ CVE Analysis π Enterprise Testing (current) β¬ Report Writing Mastery β¬ Advanced Chaining
Resources
Official Sources
Tools Used
[Amass](Will be updated soon) β Subdomain enumeration
Nuclei β Vulnerability scanning
[Detection Script](Will be updated soon) β Safe CVE detection
Final Thoughts
That Tuesday morning changed my perspective on bug bounty hunting. It showed me that:
Preparation matters β My messy notes and CVE alerts paid off
Timing is everything β Finding CVEs early maximizes impact
Details matter β A good report gets paid; a great report gets respected
Ethics matter β The power to exploit comes with responsibility to protect
The $15,000 bounty is nice. But the real reward? Knowing that because of responsible disclosure, thousands of people's financial data stayed secure.
That's why we do this.
Find this story helpful?
Share it with your bug bounty squad! Questions about the technical details?
Join our Telegram community Want to share your own story? Submit it for our Community Spotlight!
Remember: Always practice responsible disclosure. The information in this post is for educational purposes. Never test vulnerabilities on systems you don't own or have explicit permission to test.
Last updated