Progress Software quietly alerted customers to eight vulnerabilities in WS_FTP Server, another file-transfer service from the company behind MOVEit.
The company shared the news the day after its fiscal third quarter earnings call.
Two of the eight vulnerabilities are critical with CVSS scores of 10 and 9.9 out of 10, CVE-2023-40044 and CVE-2023-42657, respectively. All versions of the file-transfer service, which allows customers to remotely manage their service from any internet connection, are impacted, the company said Wednesday. Thousands of IT teams use WS_FTP Server, according to a product page.
There’s no indication any of the vulnerabilities in WS_FTP Server have been exploited, a Progress Software spokesperson told Cybersecurity Dive.
“We have issued a fix and have encouraged our customers to perform an upgrade to the patched version of our software,” the spokesperson said via email. “Security is of the utmost importance to us and we leverage development practices to minimize product vulnerabilities whenever possible.”
The company said it responsibly disclosed the vulnerabilities in conjunction with researchers. The most critical vulnerability was discovered by Assetnote and four others were attributed to Deloitte.
“If MOVEit has taught us anything it is that these file-transfer vulnerabilities should be taken seriously,” Tim Morris, chief security advisor for the Americas at Tanium, said via email.
The most critical vulnerability, CVE-2023-40044, allows a pre-authenticated attacker to leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.
“Hunt them down and patch them,” Morris said. “The critical vulnerabilities are just that, critical.”
The disclosure comes as the downstream impact from Clop’s mass exploit of a zero-day vulnerability in MOVEit, continues to grow. More than 2,100 organizations and at least 62 million individuals have been impacted.
Yet, the business impact for Progress to date has been “minimal," CEO Yogesh Gupta said Tuesday on the company’s earnings call.