Progress Software, whose MOVEIt file transfer software was the vector for a variety of attacks earlier this year, has disclosed critical vulnerabilities in another package – and one is already being exploited.
CVE-2023-40044 was discovered by two researchers from Assetnote, Shubham Shah and Sean Yeoh.
On October 1, they wrote that Progress Software’s WS_FTP package has a deserialisation vulnerability that affects “the entire Ad Hoc Transfer component” of the package.
In its advisory, Progress Software said: “In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialisation vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.”
However, Shah and Yeoh claimed that “the vulnerability could be triggered without any authentication”.
Assetnote said its scans revealed nearly 3000 hosts on the internet that matched the conditions for exploitation – they are running WS_FTP and they have an accessible web server, and most “belong to large enterprises, governments and educational institutions”.
Progress Software disclosed a number of other vulnerabilities in its advisory, including CVE-2023-42657, a critical-rated directory traversal bug that allows attackers to perform file operations (including deleting and renaming files and directories) on locations on the underlying operating system.