Progress Software Patches Critical Pre-Auth Flaws in WS_FTP Server Product


With a warning that a pre-authenticated attacker may wreck havoc on the underlying operating system, enterprise technology provider Progress Software on Thursday issued remedies for critical-level security issues in its WS_FTP file transfer software. The Burlington, Massachusetts company issued an urgent bulletin advising business clients to immediately upgrade to WS_FTP Server 2020.0.4 and WS_FTP Server 2022.0.2 due to at least eight security flaws that might be remotely exploited.

Due to the possibility of pre-auth remote command execution attacks, two vulnerabilities, CVE-2023-40044 and CVE-2023-40045, according to Progress Software, are rated critical. CVE-2023-40044 A pre-authenticated attacker might use a.NET deserialization flaw in the Ad Hoc Transfer module of WS_FTP Server versions earlier than 8.7.4 and 8.8.2 to remotely control the underlying WS_FTP Server operating system.

Read More…