View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 29, 2023

MOVEit Transfer publisher Progress Software patches critical FTP flaws

Two of the bugs have been given a critical severity level, and users are being urged to update their systems as soon as possible.

By Claudia Glover

Progress Software has patched two critical vulnerabilities in one of its FTP products, WS_FTP, as part of a tranche of eight fixes released this week. The company is still reeling from the impact of a vulnerability in one of its other products, MOVEit Transfer, which has led to the biggest cyberattack of the year, and it will be hoping these new flaws are not exploited by criminals.

Progress Software
Progress Software released updates for eight vulnerabilities in FTP software. (Photo by Rawpixel/Shutterstock)

WS_FTP server, formerly known as WinSock FTP, is one of the internet’s oldest FTP services and is used globally to support millions of end users in transferring billions of files and petabytes of data, according to its website. The vulnerabilities patched this week affect all versions of the product and the company advises its customers to “update immediately”.

Two of the exploits listed in the update released on Wednesday have been given a critical severity rating. The most severe is CVE-2023-40044, which achieved the highest possible score of ten. This vulnerability could lead to arbitrary code execution, to “execute remote commands” through insecure serialised objects in the product’s software, giving control of the product and its system over to an attacker.

The second critical exploit has been tracked as CVE-2023-42657, received a severity score of 9.9 and could be used by attackers to delete or rename files on numerous victim assets.

The other six vulnerabilities range from severity ratings of 5.3 to 8.3 and could allow hackers to input malicious code into victim systems, execute malicious Javascript or alter and delete database elements, to name a few of the risks. 

“Upgrading to a patched release, using the full installer, is the only way to remediate this issue,” Progress Software said.

More problems for Progress after MOVEit Transfer attacks

Progress is in the midst of dealing with the fallout from the attacks that have exploited a vulnerability in the MOVEit Transfer software, which is used by businesses to securely move files. Russian ransomware gang Cl0p discovered and has been exploiting the bug, and has so far obtained data from 2,000 businesses impacting 62 million people, according to security company Emsisoft. Researchers at another vendor, Coveware, believe the gang could make $75–100m from the campaign.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

It is not a surprise the Cl0p could cash in given the profile of the companies involved. Business big names including British Airways, the BBC and Boots have all fallen victim to the vulnerability, with many of the companies suffering as a result of breaches as one of their suppliers.

Progress Software is facing several lawsuits as a consequence of the attacks. The company has been hit with legal action from organisations like the Bank of America, TD Ameritrade and Johns Hopkins University, as well as dozens of others.

Read more: NoEscape ransomware gang claims breach of furniture store chain

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.