PT-2026-36613

Date: May 2, 2026 Status: ACTIVE GLOBAL EXPLOITATION / MASSIVE RCE WAVE Target: CrushFTP Enterprise Managed File Transfer All versions prior to 11.1.0 Severity: 10.0 MAXIMUM CRITICAL Unauthenticated Remote Code Execution / VFS Escape 1. Analysis: Why "VFS-Shatter" is Today’s Apex Threat While the...

Critical Update: CrushFTP Zero-Day Flaw Exploited in Targeted Attacks

Users of the CrushFTP enterprise file transfer software are being urged to update to the latest version following the discovery of a security flaw that has come under targeted exploitation in the wild. "CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and...