MOVEit maker may have yet another major security headache

A white padlock on a dark digital background.
(Image credit:

A recently patched pair of vulnerabilities found in WS_FTP Server, are being exploited in the wild, security researchers are warning. 

WS_FTP Server is a secure file transfer software package owned by Progress -  the company behind the also recently exploited MOVEit MFT solution.

Last week, the company released a security advisory saying it discovered and fixed eight vulnerabilities, including two labeled as critical. One is tracked as CVE-2023-40044 (severity rating 10/10), while the other is tracked as CVE-2023-42657 (9.9/10). These vulnerabilities allow threat actors to run a range of malicious activities against vulnerable endpoints, including remote code execution. 

Small number of incidents

"Attackers could also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, mkdir) on file and folder locations on the underlying operating system," Progress said in the advisory.

Now, security researchers from Rapid7 are saying both of these are being abused in the wild. Caitlin Condon, head of vulnerability research at the firm, told TechCrunch that the company observed “a small number of incidents” on September 30, targeting firms in different industries, including technology and healthcare. Condon said the execution chain was seemingly identical across the board, hiting “possible mass exploitation of vulnerable WS_FTP servers.”

“We saw similar attacker behavior across all incidents, which may indicate that a single adversary was behind the activity,” Condon told the publication. “We would caution organizations not to let their guard down, however, as we’ve seen single threat actors cause outsized damage when targeting file transfer solutions this year.”

In response, Progress issued a press release saying that prior to its release, the company was “not aware of any evidence that these vulnerabilities were being exploited”. The identity of the threat actors, as well as the number of potential victims, is unknown at this time.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.