Critical Vulnerability in WS_FTP Server Exploited in Attacks: Exploit Now Available

October 2, 2023

Over the past weekend, a PoC exploit for a severe vulnerability in the WS_FTP Server file sharing solution, developed by Progress Software, was made public by security researchers. The vulnerability, tagged as CVE-2023-40044, was discovered and reported by Assetnote researchers, who also shared the PoC exploit and additional technical details in a blog post.

The vulnerability is a result of a .NET deserialization issue in the Ad Hoc Transfer Module, which allows unauthenticated attackers to remotely execute commands on the underlying operating system by simply sending an HTTP request. According to Assetnote, the vulnerability was fairly straightforward and represented a common .NET deserialization problem leading to Remote Code Execution (RCE). The researchers expressed surprise that the bug had remained undetected for so long, given that most versions of WS_FTP are susceptible.

Assetnote's analysis of WS_FTP revealed approximately 2.9k hosts on the internet running this software, with their webservers exposed, a prerequisite for exploitation. The majority of these online assets are owned by large enterprises, governments, and educational institutions. A search conducted on Shodan confirmed these estimates, indicating over 2,000 devices running WS_FTP Server are currently accessible over the Internet.

On the same day the PoC exploit was released, cybersecurity firm Rapid7 reported that attackers had started exploiting CVE-2023-40044. Caitlin Condon, Head of Vulnerability Research at Rapid7, stated, "As of September 30, Rapid7 has observed multiple instances of WS_FTP exploitation in the wild." She further noted that the process execution chain was identical across all instances, suggesting potential mass exploitation of vulnerable WS_FTP servers.

Progress Software released security updates to address the critical CVE-2023-40044 vulnerability on September 27. The company strongly urged users to upgrade to the latest version, 8.8.2, stating, "We have addressed the vulnerabilities above and the Progress WS_FTP team strongly recommends performing an upgrade." For those who cannot immediately patch their servers, disabling the vulnerable WS_FTP Server Ad Hoc Transfer Module can still prevent incoming attacks.

The Health Sector Cybersecurity Coordination Center (HC3), the security team of the U.S. Health Department, also issued a warning to all Healthcare and Public Health sector organizations, urging them to patch their servers as soon as possible.

Related News

• Progress Software Issues Critical Alert for WS_FTP Server Vulnerability

Latest News

• Millions of Exim Mail Servers Vulnerable to Zero-Day RCE Attacks Due to Critical Flaw
• Israeli Spyware Vendor Intellexa Exploits Rare iOS and Chrome Zero-Days to Target Egyptian Entities
• Exploit for Critical Microsoft SharePoint Server Vulnerability Released
• CISA Highlights Exploitation of Legacy JBoss RichFaces Vulnerability
• Over 2,000 Entities Hit by Cl0p Ransomware Group Exploiting MOVEit Vulnerability