Developers behind the CrushFTP enterprise file transfer software have urged users to update to the latest version due to the discovery of a zero-day vulnerability said to have been actively exploited in the wild.

The flaw, which has yet to receive a CVE identifier, is an external control of file name or path issue that can lead to remote code execution.

“CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files. This has been patched in v11.1.0.,” the team said, noting that those using a DMZ (demilitarized zone) perimeter network in front of their main CrushFTP instance are protected against attacks.

While CrushFTP didn’t indicate that the flaw was exploited, in a post on Reddit, cybersecurity company CrowdStrike said it observed an exploit for the vulnerability being used in the wild in a “targeted fashion.”

According to CrowdStrike, the flaw is being exploited in attacks targeting CrushFTP servers at multiple US entities by possibly politically motivated cyberespionage group.