# CVE-2024-4040-RCE-POC
CVE-2024-4040 (CrushFTP VFS escape) or (CrushFTP unauthenticated RCE)

This script attempts to execute command on affected installation of the crushftp.
and ofcourse no authentication and/or user interaction is needed to acheive RCE.
you can execute command on multiple ip adresses in multi-threading functionality.

## Usage:
python -f (ip list) -c (command, better put inside "")

according to shodan there are [~7000]( exposed CrushFTP servers on internet.
I included the results of shodan inside ip.txt file in this download

* shodan dork: "http.favicon.hash:-1022206565"

## [Download: ](

[here: ](