Researchers Say WS_FTP Server Vulnerabilities are Being Actively Exploited
It appears that criminals are now actively exploiting vulnerabilities in Progress Software’s WS_FTP Server. Progress released updates to address eight vulnerabilities in the software last week. On September 30, researchers from Rapid7 noticed “exploitation of one or more recently disclosed WS_FTP vulnerabilities in multiple customer environments.”
An exploit has been made available publicly. No reason to believe that this is not already being exploited.
You already applied the patches to WS_FTP, right? The vulnerability and POC exploit code are both out there. And Progress Software lists their high-profile customers on their website, simplifying target selection. On top of all that, Progress is dealing with a bunch of lawsuits after the MOVEit breach, which is going to, at best, impact their ability to respond to additional issues, building the case to find an alternate solution.
Roughly 72 hours from patch release (vulnerability) to active exploit. A useful metric for defenders as they evaluate patches before introducing them into their environment. Part of me wonders if the CVSS score that usually accompanies vulnerability announcement helps evil-doers prioritize their workload. In this case, a vulnerability with a CVSS score of 10 certainly gets attention from both attacker and defender.
WS_FTP is not the option I would choose for an FTP today. There are many more options robust and more straightforward options. So, who is using this software today? Are those environments easier to breach than others? This software package is also maintained by the same company that maintains MoveIT. Where there was smoke, there was plenty of fire.
Read more in
Gov Infosecurity: Alert: Attackers Actively Exploiting WS_FTP Vulnerabilities