On September 09, 2023, Progress Software released a hotfix to address multiple critical vulnerabilities in the WS_FTP Server and the WS_FTP Server Ad hoc Transfer Module. If left unpatched, these vulnerabilities could allow attackers to remotely execute code on the devices and perform file operations outside of the authorized WS_FTP folder paths. The following vulnerabilities have been tracked through multiple CVEs:
- CVE-2023-42657 (CVSS 9.9)
- CVE-2023-27665 (CVSS 6.1)
- CVE-2023-40044 (CVSS 10)
- CVE-2023-40449 (CVSS 5.3)
BlueVoyant has provided a list of Health-ISAC member organizations that are potentially vulnerable to the latest critical vulnerability in the WS_FTP Server Ad hoc Transfer Module and in the WS_FTP Server Manager interface.
Targeted Alerts are being provided to the organizations where Health-ISAC has visibility into the usage of Progress WS_FTP.