Progress Software Patches Critical Pre-Auth Flaws in WS_FTP Server Product 


An urgent bulletin from the Burlington, Mass. company documented at least eight security defects that could be exploited remotely and urged business customers to immediately upgrade to WS_FTP Server 2020.0.4 (8.7.4) and WS_FTP Server 2022.0.2 (8.8.2).

Progress Software said two of the vulnerabilities — CVE-2023-40044 and CVE-2023-40045 — are rated critical because of the risk of pre-auth remote command execution attacks.

From the Progress Software bulletin:

  • CVE-2023-40044 — In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system. Critical — CVSS: 10/10.