H-ISAC TLP Green Vulnerability Bulletin: WS_FTP Critical Vulnerability


On September 09, 2023, Progress Software released a hotfix to address multiple critical vulnerabilities in the WS_FTP Server and the WS_FTP Server Ad hoc Transfer Module. If left unpatched, these vulnerabilities could allow attackers to remotely execute code on the devices and perform file operations outside of the authorized WS_FTP folder paths. The following vulnerabilities have been tracked through multiple CVEs:

  • CVE-2023-42657 (CVSS 9.9)
  • CVE-2023-27665 (CVSS 6.1)
  • CVE-2023-40044 (CVSS 10) 
  • CVE-2023-40449 (CVSS 5.3) 

BlueVoyant has provided a list of Health-ISAC member organizations that are potentially vulnerable to the latest critical vulnerability in the WS_FTP Server Ad hoc Transfer Module and in the WS_FTP Server Manager interface.

Targeted Alerts are being provided to the organizations where Health-ISAC has visibility into the usage of Progress WS_FTP.

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

National Advisor for Cybersecurity and Risk, AHA


(O) +1 202 626 2272