Less then a week after Progress Software, the developer behind the MOVEit Transfer file-sharing protocol, warned of multiple vulnerabilities in its WS_FTP Server software, security researchers spotted what they believe to be “a possible mass exploitation” of the flaws.
Researchers at Rapid7 said they observed evidence of exploitation of the CVE-2023-40044 and CVE-2023-42657 bugs on September 30 across multiple instances of WS_FTP.
The first flaw is a deserialization of untrusted data issue the Ad Hoc Transfer module, which could be exploited for remote code execution. CVE-2023-42657 is a path traversal bug that could be used for directory traversal attacks.
The issue impacts WS_FTP Server versions prior to 8.7.4 and 8.8.2.
“The process execution chain looks the same across all observed instances, indicating possible mass exploitation of vulnerable WS_FTP servers. Additionally, our MDR team has observed the same Burpsuite domain used across all incidents, which may point to a single threat actor behind the activity we've seen,” Rapid7 said.
Researchers at Assetnote who discovered CVE-2023-40044 and published a proof-of-concept exploit code for this bug said they found about 2,900 WS_FTP servers on the internet, most of which belong to large enterprises, governments and educational institutions.