MOVEit maker announces new critical vulnerability affecting a different file transfer tool

The company behind a popular file transfer service that was exploited by ransomware hackers has announced a new set of vulnerabilities affecting another file transfer tool.

Progress Software — the company behind the widely exploited MOVEit file transfer tool — said this week that one of their other products, WS_FTP Server, has several vulnerabilities that need to be patched immediately.

Thousands of IT teams depend on WS_FTP Server for “the unique business-grade features required to assure reliable and secure transfer of critical data,” according to the company. Progress listed the Denver Broncos, gaming company RockSteady, H&M Software and Scientific American as some customers using the WS_FTP product.

On Wednesday, Progress published an advisory warning that their team and outside researchers discovered eight new vulnerabilities. All versions of WS_FTP Server are affected by these vulnerabilities, and the company made version-specific hotfixes available for customers to remediate them.

“We have responsibly disclosed this vulnerability in conjunction with the researchers at Assetnote," Progress said in a statement to Recorded Future News. "Currently, we have not seen any indication that this vulnerability has been exploited. We have issued a fix and have encouraged our customers to perform an upgrade to the patched version of our software. Security is of the utmost importance to us and we leverage development practices to minimize product vulnerabilities whenever possible.”

The most serious of the issues – CVE-2023-40044 and CVE-2023-42657 – carry CVSS severity scores of 10 and 9.9 respectively, indicating that they are critical issues that companies should quickly address.

CVE-2023-40044 was discovered by two security experts from AssetNote, CTO Shubham Shah and engineering lead Sean Yeoh, and would allow a hacker to execute commands on a victim system.

CVE-2023-42657 was discovered by Progress Software and could be used by attackers to delete or rename files on a variety of victim assets.

Several other issues were discovered by Deloitte’s Cristian Mocanu and carry severity scores ranging from 5.3 to 8.3.

“Upgrading to a patched release, using the full installer, is the only way to remediate this issue. There will be an outage to the system while the upgrade is running,” the company said.

Progress Software is now facing several class action lawsuits and severe backlash over the exploitation of vulnerabilities affecting MOVEit – a popular file transfer software used by hundreds of governments, corporations and universities.

The Clop ransomware gang spent weeks stealing sensitive information through the file transfer software, setting off a global patching effort that was considered successful but did little to stop the gang from extracting troves of data.

Security firm Emsisoft estimates that more than 62 million people and 2,000 organizations were affected by the MOVEit breaches. Cybersecurity researchers believe the Clop gang has ended up netting anywhere from $75 million to $100 million just from the MOVEit campaign — with that sum “coming from just a small handful of victims that succumbed to very high ransom payments.”

Progress recently told investors that the incident would have a “minimal” business impact on the company, Cybersecurity Dive reported Thursday.

File transfer tools have long been a target of hackers due to the access they provide to sensitive data. The Clop ransomware gang previously exploited Fortra’s GoAnywhere file transfer product earlier this year and Accellion’s file transfer appliance in 2021.

Dustin Childs – head of threat awareness at Trend Micro’s Zero Day Initiative – told Recorded Future News this summer that defenders should be on the lookout for file transfer software attacks because they are in the “very soft middle” of organizations’ networks.

“Attackers – especially the ransomware crews – are gonna start looking at those [file transfer zero days] because people are getting a little smarter with not clicking on stuff and not responding to the scam emails,” he said.

“And by the way, MOVEit is not the only product in that field. There are other file transfer appliances out there. How secure are they? I would imagine if you've got a file transfer appliance, it's probably a target.”