Multiple active exploits of Progress Software’s WS_FTP Server occurred Saturday, according to Rapid7 research.
The attacks took place three days after the company behind the beleaguered MOVEit tool quietly alerted customers to eight vulnerabilities, including two critical, in the file-transfer service.
"The activity our team saw was successful exploitation in real-world environments,” Caitlin Condon, senior manager of vulnerability research at Rapid7, said via email.
Researchers “observed a small number of incidents, all of which occurred the evening of Sept. 30. We haven’t seen any new activity since then,” Condon said.
The exploits hit two of the eight vulnerabilities, CVE-2023-40044 and CVE-2023-42657, which are critical with CVSS scores of 10 and 9.9 out of 10, respectively, according to Rapid7’s research.
“We have not seen any data exfiltration, and all incidents appear to have been contained for the time being,” Condon said.
Progress has read the research, but did not say if it could independently confirm active exploits or attacks.
A company spokesperson criticized unnamed third parties for releasing a proof of concept, reverse-engineered from the vulnerabilities’ disclosure and patch.
Proof of concept exploit code for CVE-2023-40044 was publicly available as of Friday evening, according to Rapid7.
“This provided threat actors a roadmap on how to exploit the vulnerabilities while many of our customers were still in the process of applying the patch,” the spokesperson said.
“We are not aware of any evidence that these vulnerabilities were being exploited prior to that release,” the spokesperson said. “Unfortunately, by building and releasing a POC rapidly after our patch was released, a third party has given cyber criminals a tool to attempt attacks against our customers.”
Progress disclosed the vulnerabilities in WS_FTP Server three months after it disclosed and patched a widely exploited zero-day vulnerability in MOVEit, another file-transfer service.
The company has borne minimal business impact from Clop’s mass exploit of the zero-day vulnerability in MOVEit, despite supply chain compromises that have affected more than 2,100 organizations.
"The security of our customers is our top priority and we continue to work with our customers and responsible third-party research experts to discover, properly disclose and remediate any issues,” the Progress spokesperson said.