Connect with us

Hi, what are you looking for?



Progress Software Patches Critical Pre-Auth Flaws in WS_FTP Server Product 

Progress Software ships patches for critical-severity flaws in its WS_FTP file transfer software and warns that a pre-authenticated attacker could wreak havoc on the underlying operating system.

MOVEit hack impact

Enterprise technology vendor Progress Software on Thursday shipped patches for critical-level security flaws in its WS_FTP file transfer software, warning that a pre-authenticated attacker could wreak havoc on the underlying operating system.

An urgent bulletin from the Burlington, Mass. company documented at least eight security defects that could be exploited remotely and urged business customers to immediately upgrade to WS_FTP Server 2020.0.4 (8.7.4) and WS_FTP Server 2022.0.2 (8.8.2).

Progress Software said two of the vulnerabilities —  CVE-2023-40044 and CVE-2023-40045 — are rated critical because of the risk of pre-auth remote command execution attacks.

From the Progress Software bulletin:

  • CVE-2023-40044 — In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system. Critical — CVSS: 10/10.
  • CVE-2023-42657 — In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a directory traversal vulnerability was discovered.  An attacker could leverage this vulnerability to perform file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder path.  Attackers could also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, mkdir) on file and folder locations on the underlying operating system. Critical — CVSS: 9.9/10.

The company also called attention to a trio of high-severity bugs that could lead to reflected cross-site scripting (XSS) and SQL injection attacks.

Progress Software’s security response team has found itself scrambling to respond to a wave of debilitating ransomware attacks that exploited zero-day flaws in its MOVEit managed file transfer software produyt.

Earlier this year, the company rushed out patches to cover at least three critical vulnerabilities and announced plans to release regular service packs with a “predictable, simple and transparent process for product and security fixes.”

“We have heard from you that a regular cadence and predictable timeline will enable you to better plan your resources and make it easier to adopt new product updates and fixes. As a part of these Service Packs, we will also be optimizing the installation process to make the upgrade process simpler,” Progress said in a note posted with the first service pack.

Software vendors typically use a service pack to deliver a collection of updates, fixes, features or enhancements to an application.  Service packs are delivered in the form of a single installable package.

Advertisement. Scroll to continue reading.

Related: Nearly 1,000 Org, 60M Individuals Impacted by MOVEit Hack

Related: MOVEit Customers Urged to Patch 3rd Critical Vulnerability

Related: Ransomware Group Naming Victims of MOVEit Zero-Days

Related: After Zero-Days, MOVEit Turns to Security Service Packs

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...