Skip to main content
close search
site logo

Progress Software discloses 8 vulnerabilities in one of its other file-transfer services

The company behind the beleaguered MOVEit service has another vulnerable tool — WS_FTP Server. While there are no known exploits, two of the CVEs are critical.

Published Sept. 29, 2023
Matt Kapko's headshot
Senior Reporter
Smiling businesswoman in headphones taking notes, working with laptop and talking smartphone, blue glowing information protection icons. Padlock, cloud and digital interface. Cyber security concept - stock photo
iStock via Getty Images

Progress Software quietly alerted customers to eight vulnerabilities in WS_FTP Server, another file-transfer service from the company behind MOVEit.

The company shared the news the day after its fiscal third quarter earnings call.

Two of the eight vulnerabilities are critical with CVSS scores of 10 and 9.9 out of 10, CVE-2023-40044 and CVE-2023-42657, respectively. All versions of the file-transfer service, which allows customers to remotely manage their service from any internet connection, are impacted, the company said Wednesday. Thousands of IT teams use WS_FTP Server, according to a product page.

There’s no indication any of the vulnerabilities in WS_FTP Server have been exploited, a Progress Software spokesperson told Cybersecurity Dive.

“We have issued a fix and have encouraged our customers to perform an upgrade to the patched version of our software,” the spokesperson said via email. “Security is of the utmost importance to us and we leverage development practices to minimize product vulnerabilities whenever possible.”

The company said it responsibly disclosed the vulnerabilities in conjunction with researchers. The most critical vulnerability was discovered by Assetnote and four others were attributed to Deloitte.

“If MOVEit has taught us anything it is that these file-transfer vulnerabilities should be taken seriously,” Tim Morris, chief security advisor for the Americas at Tanium, said via email.

The most critical vulnerability, CVE-2023-40044, allows a pre-authenticated attacker to leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.

“Hunt them down and patch them,” Morris said. “The critical vulnerabilities are just that, critical.”

The disclosure comes as the downstream impact from Clop’s mass exploit of a zero-day vulnerability in MOVEit, continues to grow. More than 2,100 organizations and at least 62 million individuals have been impacted.

Yet, the business impact for Progress to date has been “minimal," CEO Yogesh Gupta said Tuesday on the company’s earnings call.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell