Security News > 2023 > September > Progress warns of maximum severity WS_FTP Server vulnerability

Progress warns of maximum severity WS_FTP Server vulnerability
2023-09-28 22:02

Progress Software, the maker of the MOVEit Transfer file-sharing platform recently exploited in widespread data theft attacks, warned customers to patch a maximum severity vulnerability in its WS FTP Server software.

The company says thousands of IT teams worldwide use its enterprise-grade WS FTP Server secure file transfer software.

Out of all WS FTP Server security flaws patched this week, two of them were rated as critical, with the one tracked as CVE-2023-40044 receiving a maximum 10/10 severity rating and allowing unauthenticated attackers to execute remote commands after successful exploitation of a.NET deserialization vulnerability in the Ad Hoc Transfer module.

The other critical bug is a directory traversal vulnerability that enables attackers to perform file operations outside the authorized WS FTP folder path.

"Attackers could also escape the context of the WS FTP Server file structure and perform the same level of operations on file and folder locations on the underlying operating system," Progress said.

"We have addressed the vulnerabilities above and the Progress WS FTP team strongly recommends performing an upgrade," Progress warned.


News URL

https://www.bleepingcomputer.com/news/security/progress-warns-of-maximum-severity-ws-ftp-server-vulnerability/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-09-27 CVE-2023-40044 Deserialization of Untrusted Data vulnerability in Progress WS FTP Server
In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.  
network
low complexity
progress CWE-502
8.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Progress 28 0 56 50 31 137