CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2023-40044

CVSS 10.0v3.1pub. 2023-09-27upd. 2025-10-31

In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Progress Ws Ftp Server

    APP
    Progress
    < 8.7.48.8 – 8.8.2 (bez)

CISA KEV — detailsi

Vendori
Progress
Producti
WS_FTP Server
Added to KEVi
October 5, 2023
Remediation deadline (US Federal)i
October 26, 2023(overdue)
Ransomwarei
Active ransomware campaigns exploit this vulnerability
Required action (CISA)i

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Progress WS_FTP Server contains a deserialization of untrusted data vulnerability in the Ad Hoc Transfer module that allows an authenticated attacker to execute remote commands on the underlying operating system.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
☠️WYKORZYSTYWANE W RANSOMWARECISA DEADLINE: 26 października 2023
Tags
Deserialization
CWE
References

Related vulnerabilities

CVE-2023-42659CRITICAL9.1ten sam produkt

In WS_FTP Server versions prior to 8.7.6 and 8.8.4, an unrestricted file upload flaw has been identified. An...

CVE-2023-42657CRITICAL9.9ten sam produkt

In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a directory traversal vulnerability was discovered.  An...

CVE-2024-1474HIGH7.5ten sam produkt

In WS_FTP Server versions before 8.8.5, reflected cross-site scripting issues have been identified on various ...

CVE-2023-40045HIGH8.3ten sam produkt

In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a reflected cross-site scripting (XSS) vulnerability ...

CVE-2023-40046HIGH8.2ten sam produkt

In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a SQL injection vulnerability exists in the WS_FTP Se...