< All Topics

Hosted~FTP~ Response to Breaches

This article addresses the concerns of some HostedFTP customers who had questions about vulnerabilities and exploits being found. These are HostedFTP’s official responses to these events.

Date Breach Details Hosted~FTP~ Response
2023-09-27 WS_FTP Multiple Vulnerabilities

Various reports indicate 8 different vulnerabilities, 2 of which have scored at high severity level. More details here

Hosted~FTP~ does not use or implement WS_FTP in our entire infrastructure and is not effected by the exploit. Customers who use WS_FTP as an FTP client may be at risk and are recommend to take action.
2023-01-19 Exploitation of Control Web Panel CVE-2022-44877

“The vulnerability arises from a condition that allows attackers to run bash commands when double quotes are used to log incorrect entries to the system. Successful exploitation allows remote attackers to execute arbitrary operating system commands via shell metacharacters in the login parameter”

Hosted~FTP~ does not use Control Web Panel in our entire infrastructure and is not effected by the exploit.
2023-01-19 CVE-2022-47966: Observed Exploitation of Critical ManageEngine Vulnerability

“A pre-authentication remote code execution (RCE) vulnerability impacting at least 24 on-premise ManageEngine products. CVE-2022-47966 stems from a vulnerable third-party dependency on Apache Santuario.
Several of the affected products are extremely popular with organizations and attackers, including ADSelfService Plus and ServiceDesk Plus.”

Hosted~FTP~ does not use ManageEngine’s products in any of our infrastructure and is not impacted by this vulnerability.
2021-12-09 CVE-2021-44228: Apache Log4J Vulnerability

“Log4Shell is a Java Naming and Directory Interface™ (JNDI) injection vulnerability which can allow remote code execution (RCE). By including untrusted data (such as malicious payloads) in the logged message in an affected Apache Log4j version, an attacker can establish a connection to a malicious server via JNDI lookup. The result: full access to your system from anywhere in the world.”

Hosted~FTP~ does not have Log4J2 in any of our Java applications and are not exposed in any way to this type of vulnerability.
Table of Contents