CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Incident Response

Live Exploitation Underscores Urgency to Patch Critical WS-FTP Server Flaw

Rapid7 says attackers are targeting a critical pre-authentication flaw in Progress Software’s WS_FTP server just days after disclosure.

Just days after the release of patches for a critical pre-authentication flaw in Progress Software’s WS_FTP server product, security experts have detected active exploitation in the wild against multiple target environments.

Cybersecurity vendor Rapid7 raised the alarm over the weekend after it spotted instances of live exploitation of the WS_FTP vulnerability in various customer environments.

According to Caitlin Condon, head of vulnerability research at Rapid7, the easy-to-exploit CVE-2023-40044 vulnerability is already in the crosshairs of attackers attempting mass exploitation of vulnerable WS_FTP servers.

“The process execution chain looks the same across all observed instances, indicating possible mass exploitation of vulnerable WS_FTP servers. Additionally, our MDR team has observed the same Burp Suite domain used across all incidents, which may point to a single threat actor behind the activity we’ve seen,” Condon said.

The critical-severity flaw, which carries a CVSS score of 10/10, can be triggered by attackers over the internet and affects all WS_FTP Server versions prior to 8.7.4 and 8.8.2

Assetnote, the research outfit that discovered the issue, warns that the flaw affects the entire Ad Hoc Transfer component of WS_FTP.  “It was a bit shocking that we were able to reach the deserialization sink without any authentication,” the company said in a note documenting the findings.

“The issue discovered in Progress WS_FTP was within a HTTP Module called MyFileUpload.UploadModule. This HTTP module is responsible for _all_ file uploads made within the AHT application. It was wild to see all file upload functionality being implemented inside a HTTP module, as our belief as engineers is that HTTP modules should not be responsible for file upload functionality (especially given that HTTP modules run on literally every request cycle),” Assetnote added.

Assetnote said it found nearly 3,000 hosts on the internet that are running WS_FTP with an exposed web server and noted that most of the exposed assets belong to large enterprises, governments and educational institutions.

Advertisement. Scroll to continue reading.

Progress Software’s security response team has found itself scrambling to respond to a wave of debilitating ransomware attacks that exploited zero-day flaws in its MOVEit managed file transfer software product.

Earlier this year, the company rushed out patches to cover at least three critical vulnerabilities and announced plans to release regular service packs with a “predictable, simple and transparent process for product and security fixes.”

Software vendors typically use a service pack to deliver a collection of updates, fixes, features or enhancements to an application.  Service packs are delivered in the form of a single installable package.

Related: Critical Pre-Auth Flaws in Progress Software WS_FTP Server

Related: Hacked SolarWinds Software Lacked Basic Anti-Exploit Mitigation

Related: Chinese Gov Hackers Caught Hiding in Cisco Router Firmware

Related: MOVEit Customers Urged to Patch 3rd Critical Vulnerability

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.