File transfer software again under attack – CVSS 10 bug exploitable with a single HTTPS POST request

Some 2,900 exposed. It's Progress, but it's not progress...

File transfer software again under attack – CVSS 10 bug exploitable with a single HTTPS POST request

Managed file transfer software from Progress Software is again being exploited in the wild say security researchers – with attackers targeting a CVSS 10 .NET deserialization vulnerability (CVE-2023-40044) that it is exploitable with a single HTTPS POST request and a pre-existing widget.

“The WS_FTP team recently discovered vulnerabilities in the WS_FTP Server Ad hoc Transfer Module and in the WS_FTP Server manager interface” warned Progress in an advisory on September 27, adding that “we have made version-specific hotfixes available for customers.”

“All versions of WS_FTP Server are affected by these vulnerabilities.”

The eight vulnerabilities it patched (including two “critical” and three “high” were not listed as under attack at the time. That’s now changed.

WS_FTP vulnerability exploited

The most severe of these Progress MTP vulnerabilities is CVE-2023-40044 and, strictly, it was not discovered by the “WS_FTP team” at all, but by researchers at attack surface specialist Assetnote, with the majority of the other WS_FTP bugs reported by Deloitte’s Cristian Mocanu.

For defenders, that’s a moot point: The Progress MTP vulnerability is now being actively exploited in the wild and lets unauthenticated attackers execute remote commands on the WS_FTP Server OS.

Critics will be left wondering at Progress' quality assurance processes/inability to push secure code/applications; not least because, as Assetnote put it: "It was wild to see all file upload functionality being implemented inside a HTTP module" (not widely seen as best practice...)