Progress Software has urged its customers to immediately patch a critical vulnerability in its WS_FTP Server software. This vulnerability, identified as CVE-2023-42659 and carrying a CVSS score of 9.1, allows authenticated Ad Hoc Transfer users to upload files to arbitrary locations on the underlying operating system hosting the WS_FTP Server application. This potentially devastating vulnerability could grant attackers unrestricted access to sensitive data and compromise entire systems.
WS_FTP Server is a widely used enterprise-grade file transfer software, employed by thousands of IT teams worldwide. The CVE-2023-42659 vulnerability affects versions before 8.7.6 and 8.8.4, leaving a significant number of installations exposed to potential exploitation.
WS_FTP Server versions prior to 8.7.6 and 8.8.4, an unrestricted file upload flaw has been identified. An authenticated Ad Hoc Transfer user can craft an API call which allows them to upload a file to a specified location on the underlying operating system hosting the WS_FTP Server application.
Progress Software has emphasized that upgrading to a patched release is the only way to effectively remediate this vulnerability. However, users should be aware that the upgrade process will temporarily halt the WS_FTP Server service, causing a brief outage.
To minimize the disruption caused by the upgrade, it is advisable to schedule the update during a period of low system usage. With prior caution, create a full backup of the WS_FTP Server configuration before proceeding with the upgrade.
Organizations are strongly advised to prioritize this vulnerability and take immediate action to upgrade their WS_FTP Server installations to the patched versions. By promptly addressing this critical flaw, organizations can safeguard their systems and sensitive data from potential exploitation.