Days after Progress Software issued fixes for a critical flaw in its WS_FTP Server file transfer product, researchers are warning that they are seeing the vulnerability being exploited in the wild.
Progress Software on Sept. 27 disclosed a deserialization bug (CVE-2023-40044) impacting all versions of the WS_FTP Server. The critical flaw drew concerns because it can be exploited without authentication and because it could potentially be leveraged to execute remote commands on the underlying WS_FTP Server operating system.
On Sept. 29, proof-of-concept exploit code for the critical flaw was shared on social media. Starting on Sept. 30, researchers with Rapid7 said they began to observe in-the-wild exploitation of the flaw in multiple customer environments.
“The process execution chain looks the same across all observed instances, indicating possible mass exploitation of vulnerable WS_FTP servers,” according to Caitlin Condon with Rapid7 in an analysis. “Additionally, our [managed detection and response] team has observed the same Burpsuite domain used across all incidents, which may point to a single threat actor behind the activity we've seen.”
Researchers with Huntress on Oct. 2 also said that they have observed exploitation “in a very small number of cases within our partner base.” Other researchers, with Palo Alto Networks’ Unit 42 team, said they observed threat actors attempting to leverage the flaw to deliver the Meterpreter payload.
Of note, a Progress Software spokesperson said "we are not aware of any evidence that these vulnerabilities were being exploited prior to [the PoC exploit code] release."
Both Progress Software and researchers urge impacted organizations to apply the patches for CVE-2023-40044 - and a number of other bugs disclosed in WS_FTP last week - as soon as possible. The fixed versions are 2020.0.4 (8.7.4) for WS_FTP Server 2020 and 2022.0.2 (8.8.2) for WS_FTP Server 2022.
The flaw is particularly notable as it comes months after a vulnerability in another Progress Software file transfer software product, MOVEit Transfer, led to widespread exploitation and resulted in thousands of organizations being breached. Condon with Rapid7 said that secure flle transfer technologies continue to be lucrative and popular targets for threat actors due to the level of sensitive documents and data that they house.
“While these vulnerabilities are not known to be exploited by adversaries at this time, we would advise updating to a fixed version as soon as possible, without waiting for a typical patch cycle to occur,” said Condon.