cbcvebase.
CVE-2023-4528
published 2023-09-07

CVE-2023-4528: Unsafe deserialization in JSCAPE MFT Server versions prior to 2023.1.9 (Windows, Linux, and MacOS) permits an attacker to run arbitrary Java code (including OS…

PriorityP260high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
27.07%
97.8th percentile
Unsafe deserialization in JSCAPE MFT Server versions prior to 2023.1.9 (Windows, Linux, and MacOS) permits an attacker to run arbitrary Java code (including OS commands) via its management interface

Affected

2 ranges
VendorProductVersion rangeFixed in
redwoodjscape_mft< 2023.1.92023.1.9
redwood_softwarejscape_mft_server< 2023.1.92023.1.9

Detection & IOCsextracted from sources · hover to see the quote

cookieJSESSIONID_11880=
cookieMFTCSX=
port10880
snort
alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET INFO JSCAPE MFT - HTTP Management Service Detected via Set-Cookie"; flow:established,to_client; http.cookie; content:"JSESSIONID_11880="; fast_pattern; content:"MFTCSX="; threshold:type limit, count 1, seconds 600, track by_src; reference:url,rapid7.com/blog/post/2023/09/07/cve-2023-4528-java-deserialization-vulnerability-in-jscape-mft-fixed/; reference:url,www.jscape.com/blog/binary-management-service-patch-cve-2023-4528; classtype:not-suspicious; sid:2047977; rev:1; metadata:created_at 2023_09_08, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Informational, updated_at 2023_09_08, reviewed_at 2023_09_08;)
snort
alert tls [$HOME_NET,$HTTP_SERVERS] 10880 -> any any (msg:"ET INFO JSCAPE MFT - Binary Management Service Default TLS Certificate"; flow:established,to_client; tls.cert_subject; content:"CN=JSCAPE MFT "; fast_pattern; content:"O=JSCAPE L"; reference:url,rapid7.com/blog/post/2023/09/07/cve-2023-4528-java-deserialization-vulnerability-in-jscape-mft-fixed/; reference:url,www.jscape.com/blog/binary-management-service-patch-cve-2023-4528; classtype:not-suspicious; sid:2047976; rev:1; metadata:attack_target Web_Server, created_at 2023_09_08, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Informational, updated_at 2023_09_08, reviewed_at 2023_09_08;)
  • Detect JSCAPE MFT HTTP Management Service by inspecting Set-Cookie response headers for the session cookie name 'JSESSIONID_11880=' combined with 'MFTCSX=' — both are specific to JSCAPE MFT's HTTP management interface.
  • Detect JSCAPE MFT Binary Management Service by inspecting TLS certificate subject fields for 'CN=JSCAPE MFT ' and 'O=JSCAPE L' on port 10880 — this identifies the default self-signed certificate shipped with the product.
  • The vulnerable binary management service listens on TCP port 10880 with TLS; monitor for unexpected inbound connections to this port from external sources as a sign of exploitation attempts.
  • The vulnerability is unsafe Java deserialization via the management interface; monitor for anomalous child processes spawned by the JSCAPE MFT server process as an indicator of successful RCE.
  • ·The Snort/Suricata rules (SID 2047977, 2047976) are classified as 'not-suspicious' / Informational severity — they identify the presence of JSCAPE MFT, not active exploitation. Tune or layer additional rules to alert on actual deserialization payloads.
  • ·SID 2047977 uses a rate-limit threshold (1 alert per 600 seconds per source IP), so repeated management service detections from the same host will be suppressed. Adjust threshold for higher-fidelity monitoring.
  • ·SID 2047977 requires SSL/TLS inspection to be effective in encrypted environments — it is tagged for 'deployment SSLDecrypt'. Ensure TLS inspection is enabled on the monitoring path.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.