On 28th September Enterprise technology vendor Progress Software shipped patches for critical-level security flaws in its WS_FTP file transfer software warning that a pre-authenticated attacker could devastate the underlying operating system, using the vulnerability to perform file operations on user organisations’ files.

Editor of the publication Security Week, Ryan Naraine reported receiving:

‘An urgent bulletin from the Burlington, Mass. company documented at least eight security defects that could be exploited remotely and urged business customers to immediately upgrade to WS_FTP Server 2020.0.4 (8.7.4) and WS_FTP Server 2022.0.2 (8.8.2).’

Progress Software has rated security flaws CVE-2023-40044 and CVE-2023-40045 critical because of the risk of pre-authorisation remote command execution attacks.

This new vulnerability poses a serious threat to financial entities that depend on MOVEit for Managed File Transfer (MFT) operations to exchange proprietary data, such as client records, monetary statements, and intra-company communications. Many MOVEit MFT users had already experienced financial losses such as fines, compensation and the loss of confidence of its business associates due to other critical security flaws in Progress Software’s MFT product.

Critical Security Flaws Listed by Progress Software

From the Progress Software bulletin:

‘CVE-2023-40044 — In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system. Critical — CVSS: 10/10.
CVE-2023-42657 — In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a directory traversal vulnerability was discovered. An attacker could leverage this vulnerability to perform file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder path. Attackers could also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, mkdir) on file and folder locations on the underlying operating system. Critical — CVSS: 9.9/10′.

This is the second instance of Progress Software users being issued patches for critical security flaws as the company’s MOVEit Managed File Transfer product was exposed to debilitating ransomware attacks earlier this year.

The company suggested that its lack of a predictable timeline for customers to adopt new product updates and fixes has added to the level of risk and inconvenience for users of its MOVEit MFT product. The company said it has plans in the pipeline to remedy this situation. 

Read more about reducing risk in file transfer in our latest blog article.

Article by C. James