Progress Software program has unveiled hotfixes for a critical security vulnerability, alongside seven other flaws, in the WS_FTP Server Ad hoc Transfer Module and in the WS_FTP Server supervisor interface.
Tracked as CVE-2023-40044, the flaw has a CVSS rating of 10., indicating maximum severity. All variations of the software package are impacted by the flaw.
“In WS_FTP Server variations prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Advert Hoc Transfer module to execute distant instructions on the fundamental WS_FTP Server operating system,” the firm said in an advisory.

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
Assetnote security researchers Shubham Shah and Sean Yeoh have been credited with getting and reporting the vulnerability.
The checklist of remaining flaws, impacting WS_FTP Server versions prior to 8.8.2, is as follows –
- CVE-2023-42657 (CVSS rating: 9.9) – A listing traversal vulnerability that could be exploited to perform file functions.
- CVE-2023-40045 (CVSS rating: 8.3) – A reflected cross-website scripting (XSS) vulnerability in the WS_FTP Server’s Advert Hoc Transfer module that could be exploited to execute arbitrary JavaScript in the context of the victim’s browser.
- CVE-2023-40047 (CVSS rating: 8.3) – A stored cross-site scripting (XSS) vulnerability exists in the WS_FTP Server’s Management module that could be exploited by an attacker with admin privileges to import an SSL certificate with destructive characteristics that contains XSS payloads that could then be triggered in victim’s browser.
- CVE-2023-40046 (CVSS score: 8.2) – An SQL injection vulnerability in the WS_FTP Server manager interface that could be exploited to infer data stored in the databases and execute SQL statements that alter or delete its contents.
- CVE-2023-40048 (CVSS rating: 6.8) – A cross-website ask for forgery (CSRF) vulnerability in the WS_FTP Server Manager interface.
- CVE-2022-27665 (CVSS score: 6.1) – A mirrored cross-site scripting (XSS) vulnerability in Progress Ipswitch WS_FTP Server 8.6. that can direct to execution of destructive code and instructions on the shopper.
- CVE-2023-40049 (CVSS rating: 5.3) – An authentication bypass vulnerability that lets buyers to enumerate documents underneath the ‘WebServiceHost’ directory listing.
With security flaws in Progress Program getting to be an beautiful target for ransomware teams like Cl0p, it is really necessary that users transfer promptly to apply the most recent patches to have possible threats.
Upcoming WEBINARFight AI with AI — Battling Cyber Threats with Following-Gen AI Applications
Ready to tackle new AI-driven cybersecurity problems? Join our insightful webinar with Zscaler to tackle the escalating risk of generative AI in cybersecurity.
Supercharge Your Capabilities
The enterprise, in the meanwhile, is still grappling with the fallout from the mass hack focusing on its MOVEit Transfer protected file transfer platform considering the fact that May well 2023. Far more than 2,100 businesses and over 62 million men and women are believed to have been impacted, in accordance to Emsisoft.
Identified this article interesting? Observe us on Twitter and LinkedIn to read through additional exclusive information we post.
Some sections of this article are sourced from:
thehackernews.com