Admins urged to quickly patch holes in WS_FTP file transfer server

Another set of critical vulnerabilities has been found in a file transfer application, raising worries that, if exploited before being patched, it too will lead to a huge number of data breaches.

Progress Software said this week the eight vulnerabilities — two of which are rated critical — have been found in its WS_FTP Server, used for the secure transfer of critical data.

The holes are in the Ad hoc Transfer Module and in the software’s manager interface.

“All versions of WS_FTP Server are affected by these vulnerabilities,” the company said. “We have addressed these issues and have made version-specific hotfixes available for customers to remediate them.”

The company told The Record that so far it hasn’t seen the vulnerabilities being exploited.

On its website, Progress Software lists case studies of a number of major organizations that have used WS_FTP, including a U.S. school district, a game company, and the Denver Broncos NFL team.

A zero-day vulnerability in Progress Software’s MOVEit file transfer application discovered by the Clop/Cl0p ransomware gang has led to over 2,000 hacks of MOVEit servers and the theft of information of an estimated 62 million people.

Other file transfer applications whose vulnerabilities have led to mass hacks over the past two years include Fortra’s GoAnywhere MFTAccellion FTA and IBM’s Aspera Faspex.

This category of applications may be tempting for threat actors to find holes in because their servers would have large volumes of data sitting there. While secure file transfer servers should have protection for data at rest, if an attacker can get administrator access that could defeat the encryption.

The critical vulnerabilities in WS_FTP include:

CVSS score: 10

In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system;

CVSS score: 9.9 

In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a directory traversal vulnerability was discovered.  An attacker could leverage this vulnerability to perform file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder path.  Attackers could also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, mkdir) on file and folder locations on the underlying operating system.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.