Progress Software has released hotfixes for its WSFTP product to address a critical security vulnerability . This flaw, tracked as CVE-2023-40044 , has a CVSS score of 10.0 , indicating maximum severity . It affects the WSFTP Server Ad hoc Transfer Module and the WS_FTP Server manager interface .
The vulnerability allows an unauthenticated   , remote attacker to exploit a .NET deserialization vulnerability in the Ad Hoc Transfer Module to execute remote commands on the underlying WS-FTP Server’s operating system . This enables pre-authenticated remote code execution (RCE) without user interaction . Additionally, there is a directory traversal flaw , known as CVE-2023-42657, that enables unauthorized file operations . It allows an attacker to perform file operations on files and folders outside of their authorized WS-FTP folder path or on the underlying operating system .
Progress Software has remediated these vulnerabilities and recommends upgrading to the latest version (8.8.2) to mitigate the risks. It is important to note that the upgrade will require a system outage. The company has not observed any signs of exploit activity targeting these vulnerabilities . More information can be found on the Progress Software website .
The release of hotfixes by Progress Software addresses the critical security vulnerability in its WS_FTP product. By upgrading to the latest version  , users can mitigate the risks associated with the .NET deserialization vulnerability and the directory traversal flaw. Although the upgrade may cause a system outage, it is necessary to ensure the security of the WS-FTP Server. Progress Software has not detected any exploit activity targeting these vulnerabilities. For further details, please refer to the Progress Software website .