Progress Software, the developer of the MOVEit Transfer file-sharing platform that was recently involved in extensive data theft attacks, has issued a critical security advisory urging its customers to patch a high-severity vulnerability in its WS_FTP Server software.
The company serves thousands of IT teams worldwide with its enterprise-grade WS_FTP Server, a secure file transfer software. In the advisory published, Progress Software disclosed several vulnerabilities affecting the software’s manager interface and Ad Hoc Transfer Module.
Notably, two of these vulnerabilities are rated as critical, with CVE-2023-40044 garnering a maximum severity rating of 10/10, potentially allowing unauthenticated attackers to execute remote commands through a .NET deserialization vulnerability in the Ad Hoc Transfer module.
The other critical bug, CVE-2023-42657, involves a directory traversal vulnerability, enabling attackers to perform file operations outside the authorized WS_FTP folder path. This could permit them to delete, rename, or create directories and files on the underlying operating system.
Both critical vulnerabilities are rated as low-complexity issues, meaning they can be exploited without requiring significant user interaction. Progress Software is strongly recommending an immediate upgrade to version 8.8.2, as applying the full installer is the only effective way to remediate these vulnerabilities. However, this process will result in system downtime.
The company also offers guidance on removing or disabling the vulnerable WS_FTP Server Ad Hoc Transfer Module for cases where it’s not in use. The urgency of patching these vulnerabilities cannot be overstated, as they pose a significant security risk to the software’s users.
Progress Software’s move to address these issues underscores the importance of promptly applying security patches and updates to protect against potentially damaging cyberattacks.