Hacker

Over the weekend, security researchers released a proof-of-concept (PoC) exploit for a maximum severity remote code execution vulnerability in Progress Software's WS_FTP Server file sharing platform.

Assetnote researchers who discovered and reported the maximum severity flaw (CVE-2023-40044) published a blog post with a PoC exploit and additional technical details on Saturday.

CVE-2023-40044 is caused by a .NET deserialization vulnerability in the Ad Hoc Transfer Module, allowing unauthenticated attackers to remotely execute commands on the underlying operating system via a simple HTTP request.

"This vulnerability turned out to be relatively straight forward and represented a typical .NET deserialization issue that led to RCE. It's surprising that this bug has stayed alive for so long, with the vendor stating that most versions of WS_FTP are vulnerable," Assetnote said.

"From our analysis of WS_FTP, we found that there are about 2.9k hosts on the internet that are running WS_FTP (and also have their webserver exposed, which is necessary for exploitation). Most of these online assets belong to large enterprises, governments and educational institutions."

A Shodan search confirms Assetnote's estimates, showing that more than 2,000 devices running WS_FTP Server are currently reachable over the Internet.

WS_FTP Server exposed online
WS_FTP Server instances exposed online (Shodan)

Exploited in the wild

The day the PoC exploit was released, cybersecurity company Rapid7 also revealed that attackers began exploiting CVE-2023-40044 on Saturday evening, September 30.

"As of September 30, Rapid7 has observed multiple instances of WS_FTP exploitation in the wild," said Caitlin Condon, Head of Vulnerability Research at Rapid7.

"The process execution chain looks the same across all observed instances, indicating possible mass exploitation of vulnerable WS_FTP servers.

"Additionaly, our MDR team has observed the same Burpsuite domain used across all incidents, which may point to a single threat actor behind the activity we've seen."

WS_FTP itw exploitation

Progress Software released security updates to address the critical CVE-2023-40044 vulnerability on Wednesday, September 27.

"We have addressed the vulnerabilities above and the Progress WS_FTP team strongly recommends performing an upgrade," Progress warned at the time.

"We do recommend upgrading to the most highest version which is 8.8.2. Upgrading to a patched release, using the full installer, is the only way to remediate this issue.

Organizations that cannot immediately patch their servers can still thwart incoming attacks by disabling the vulnerable WS_FTP Server Ad Hoc Transfer Module.

On Friday, the Health Sector Cybersecurity Coordination Center (HC3), the U.S. Health Department's security team, also warned all Healthcare and Public Health sector organizations to patch their servers as soon as possible.

Progress Software is still dealing with the fallout of an extensive series of data theft attacks that exploited a zero-day in the MOVEit Transfer secure file transfer platform and affected more than 2,100 organizations and over 62 million individuals, according to Emsisoft estimates.


Update October 02, 13:33 EDT: A Progress spokesperson shared the following statement after the article was published:

We are disappointed in how quickly third parties released a proof of concept (POC), reverse-engineered from our vulnerability disclosure and patch, released on Sept. 27. This provided threat actors a roadmap on how to exploit the vulnerabilities while many of our customers were still in the process of applying the patch. 

We are not aware of any evidence that these vulnerabilities were being exploited prior to that release. Unfortunately, by building and releasing a POC rapidly after our patch was released, a third-party has given cyber criminals a tool to attempt attacks against our customers. We are encouraging all WS_FTP server customers to patch their environments as quickly as possible.

The security of our customers is our top priority and we continue to work with our customers and responsible third-party research experts to discover, properly disclose and remediate any issues. We hope that the community will discourage the irresponsible publication of POCs rapidly following the release of security patches from software vendors.

Related Articles:

Exploit released for Fortinet RCE bug used in attacks, patch now

Maximum severity Flowmon bug has a public exploit, patch now

Exploit released for Palo Alto PAN-OS bug used in attacks, patch now

Microsoft pulls fix for Outlook bug behind ICS security alerts

Microsoft: APT28 hackers exploit Windows flaw reported by NSA