There have been limited attacks targeting a critical vulnerability in Progress Software’s WS_FTP Server file transfer product, according to recent reports. The vulnerability, known as CVE-2023-40044, is a maximum-severity flaw that allows attackers to run remote commands on the underlying operating system of the WS_FTP Server. While the attacks have been somewhat limited so far, organizations are being urged to patch the vulnerability promptly to avoid widespread exploitation, as was the case with a similar zero-day flaw in Progress’s MOVEit file transfer software in May.
The CVE-2023-40044 vulnerability is a .NET deserialization flaw that researchers have demonstrated can be exploited through a single HTTPS POST and specific multi-part data. Progress Software disclosed the bug on September 27 and recommended that organizations apply the necessary update as soon as possible. The vulnerability affects all supported versions of the WS_FTP software, specifically the optional Ad Hoc Transfer module. It has been given a maximum severity score of 10.0 on the CVSS scale due to its ease of exploitability and the potential for unauthenticated attackers to execute remote commands on the server.
Proof-of-concept (PoC) exploit code for CVE-2023-40044 quickly became available after the vulnerability was disclosed. Several researchers, including Assetnote and MCKSys Argentina, released PoCs that contributed to early exploit activity targeting the flaw. Rapid7, a security vendor, reported that it observed exploitation of one or more of the WS_FTP vulnerabilities in multiple customer environments. The attacks occurred simultaneously and exhibited characteristics of mass exploitation. Rapid7 also noted that a single actor may be behind these attacks based on the involvement of the same Burpsuite domain.
Rapid7 conducted a detailed technical analysis of CVE-2023-40044 on October 2, describing the vulnerability and how it can be exploited. The company categorized the vulnerability as potentially “very high” value for attackers. Caitlin Condon, Head of Vulnerability Research at Rapid7, reported that multiple instances of WS_FTP Server exploitation were observed in customer environments on September 30. However, such activity has remained limited to that date, indicating a single adversary may be responsible. While Rapid7 has not directly linked the attacks to CVE-2023-40044, evidence suggests that the vulnerability is most likely to enable server-side code execution.
Huntress Labs, another security firm, reported observing a limited number of attacks against WS_FTP and CVE-2023-40044. John Hammond, Senior Security Researcher at Huntress, stated that the attacks seemed opportunistic in nature, indicating attempts by attackers to exploit any vulnerable WS_FTP servers they encounter. Huntress observed attacks ranging from simple DNS queries to more advanced techniques like downloading and installing persistence mechanisms. The targeted installations primarily belonged to financial institutions and healthcare providers.
Interestingly, Internet monitoring firm Censys conducted a search for vulnerable WS_FTP servers and discovered substantially fewer instances than initially assumed. Out of over 4,000 internet-accessible WS_FTP hosts, only 325 had the Ad Hoc Transfer Module enabled. By September 29, 91 of these hosts had already disabled the service. In comparison to the MOVEit vulnerability, which still has several thousand exposed instances, the number of potentially vulnerable WS_FTP servers is relatively smaller.
Progress Software expressed disappointment in how quickly third parties released PoCs for the vulnerabilities, as this provided a roadmap for threat actors to exploit them before many customers had a chance to apply patches. However, there is currently no evidence to suggest that the vulnerabilities were being exploited prior to the PoCs’ release.
In conclusion, while attacks targeting the CVE-2023-40044 vulnerability in Progress Software’s WS_FTP Server have been limited so far, organizations are advised to patch the vulnerability promptly to prevent widespread exploitation. The availability of PoC exploit code and the potential for unauthenticated attackers to execute remote commands make it critical for organizations to apply the necessary updates as soon as possible.