On September 27, 2023, WS_FTP Server customers were notified and provided a patch that addressed several vulnerabilities in WS_FTP Server in WS_FTP Server Ad hoc Transfer Module, WS_FTP Server's SSH module and in the WS_FTP Server. All versions of WS_FTP Server are affected and full CVE details are included below.
We encourage all WS_FTP Server customers to immediately apply the patch released on September 27 to harden their environments.
This series of vulnerabilities was discovered by internal WS_FTP engineers in conjunction with the cybersecurity researchers and experts at Assetnote, who abided by their responsible reporting policies. We are thankful for the partnership with them and the larger cybersecurity community who are diligently working to combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products.
While we are not aware of any evidence that these vulnerabilities were being exploited prior to the release of the patch, we have learned that a proof of concept (POC), reverse-engineered from our initial vulnerability disclosure and patch, has been posted publicly by an unauthorized third-party. This provides threat actors with a roadmap on how to exploit the vulnerabilities and attempt attacks against our customers that have not yet deployed the patch. For customers who have yet to deploy the patch, please refer to this knowledge base article for details and the actions required. The patched release, using the full installer, is the only way to remediate this issue.
Our customers have been and will continue to be our top priority. We continue to work with them and responsible third-party research experts to discover, properly disclose and remediate any issues. As a community, we need to continue to discourage the irresponsible publication of POCs rapidly following the release of software patches by individuals looking for personal gain or notoriety.
If customers have questions related to this issue, please log in to open a new Technical Support case in our customer community for assistance or reach out to your implementation partner. We are now working with the security community to determine any indicators of compromise and will also post updates to the knowledge base article, as needed. If you find vulnerabilities in any of our software, we ask that you responsibly report them by reaching out directly to us. To submit a vulnerability, please go to https://www.progress.com/security/vulnerability-reporting-policy.
CVE-2023-40044: https://www.cve.org/CVERecord?id=CVE-2023-40044
CVE-2023-42657: https://www.cve.org/CVERecord?id=CVE-2023-42657
CVE-2023-40046: https://www.cve.org/CVERecord?id=CVE-2023-40046
CVE-2023-40045: https://www.cve.org/CVERecord?id=CVE-2023-40045
If a WS_FTP customer has not yet applied the patch it is essential that they do so as soon as possible by following the steps outlined in the knowledge base article. We urge customers to make sure they only download the patch from our knowledge base and not from any third-party sites.
Upgrading to a patched release, using the full installer, is the only way to remediate this issue. There will be an outage to the system while the upgrade is running.
For all customers on a current maintenance agreement, the upgrade can be accessed by logging into the Progress Community—https://community.progress.com/s/. Customers that are not on a current maintenance agreement should contact the Progress Renewals team or your Progress partner account representative.
To confirm your current version of WS_FTP Server please follow the instructions in this knowledge base article.
1. Log in to the Download Center at https://community.progress.com/s/products-list using your Progress ID credentials
2. Select the appropriate Asset from the list
3. Click the Download link under the Related Products & Downloads section
4. Click [Download] next to the Fixed Version you would like to download (reference table below)
Fixed Version | Documentation |
WS_FTP Server 2020.0.4 (8.7.4) | Upgrade Documentation |
WS_FTP Server 2022.0.2 (8.8.3) | Upgrade Documentation |
Richard Barretto is the Chief Information Security Officer at Progress. Richard and his team are responsible for overseeing and developing the data protection strategy for Progress enterprise. He joined the company back in 2020 and has 20-plus years of experience as a cyber security professional. In his free time, he likes playing tennis and spending time with family.
Let our experts teach you how to use Sitefinity's best-in-class features to deliver compelling digital experiences.
Learn MoreSubscribe to get all the news, info and tutorials you need to build better business apps and sites
Progress collects the Personal Information set out in our Privacy Policy and the Supplemental Privacy notice for residents of California and other US States and uses it for the purposes stated in that policy.
You can also ask us not to share your Personal Information to third parties here: Do Not Sell or Share My Info
We see that you have already chosen to receive marketing materials from us. If you wish to change this at any time you may do so by clicking here.
Thank you for your continued interest in Progress. Based on either your previous activity on our websites or our ongoing relationship, we will keep you updated on our products, solutions, services, company news and events. If you decide that you want to be removed from our mailing lists at any time, you can change your contact preferences by clicking here.