10
CVE-2023-40044
- EPSS 94.43%
- Published 27.09.2023 15:18:57
- Last modified 10.03.2025 20:32:25
- Source security@progress.com
- Teams watchlist Login
- Open Login
In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.
Data is provided by the National Vulnerability Database (NVD)
Progress ≫ Ws Ftp Server Version < 8.7.4
Progress ≫ Ws Ftp Server Version >= 8.8 < 8.8.2
05.10.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog
Progress WS_FTP Server Deserialization of Untrusted Data Vulnerability
VulnerabilityProgress WS_FTP Server contains a deserialization of untrusted data vulnerability in the Ad Hoc Transfer module that allows an authenticated attacker to execute remote commands on the underlying operating system.
DescriptionApply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Required actions| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 94.43% | 1 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| security@progress.com | 10 | 3.9 | 6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.