Progress Software, the company behind the recently hacked MOVEit file-transfer software, has released fixes for two more critical-rated vulnerabilities that are being exploited by attackers.
In an advisory published last week, Progress warned of multiple vulnerabilities affecting its enterprise-facing WS_FTP file-transfer software, which the company claims is used by thousands of IT teams worldwide for the “reliable and secure transfer of critical data.”
Two of the WS_FTP vulnerabilities were tracked as critical. The first, CVE-2023-40044, which was given a maximum vulnerability severity rating of 10.0, is described as a .NET deserialization flaw that could allow an attacker to execute remote commands on the underlying operating system. The second, tracked as CVE-2023-42657, is a directory traversal vulnerability that could allow an attacker to perform file operations outside the authorized WS_FTP folder path.
Both of these vulnerabilities are already being exploited by hackers, according to cybersecurity company Rapid7. Caitlin Condon, head of vulnerability research at Rapid7, told TechCrunch that the company observed “a small number of incidents” stemming from exploitation of WS_FTP Server on September 30, impacting several industries including technology and healthcare. Condon said that the execution chain looks the same across all observed instances, indicating “possible mass exploitation of vulnerable WS_FTP servers.”
“We saw similar attacker behavior across all incidents, which may indicate that a single adversary was behind the activity,” Condon told TechCrunch. “We would caution organizations not to let their guard down, however, as we’ve seen single threat actors cause outsized damage when targeting file transfer solutions this year.”
It’s not yet known who is behind these attacks or how many WS_FTP customers have been impacted by this exploitation.
John Eddy, a spokesperson for Progress via an outside public relations agency, provided a statement that criticized security researchers for releasing proof-of-concept exploit code for the vulnerability, but declined to name the researchers. Progress said it was “not aware of any evidence that these vulnerabilities were being exploited prior to that release.”
Security company Assetnote, which first discovered the WS_FTP vulnerabilities, said that there are 2,900 hosts on the internet that are running WS_FTP and have their webserver exposed. “Most of these online assets belong to large enterprises, governments and educational institutions,” the company said.
Progress Software has released a patch for the vulnerabilities and is urging customers to apply the fixes urgently. Rapid7 has shared indicators of compromise that enterprise defenders can look for to establish whether their organization has been hit.
News of attackers exploiting vulnerabilities in Progress Software’s WS_FTP software comes as the company continues to grapple with the aftermath of mass-attacks exploiting a zero-day flaw in its MOVEit Transfer platform. These attacks, which began on May 27, have been claimed by the Clop ransomware group, and the number of organizations affected has exceeded the 2,100 mark, though the true number of those affected is likely significantly higher.
Updated with comment from Progress.