Executive Team Note: Our coordinated disclosure policy works on a 90 day timeline where we will disclose via our website 90 days after we report to a vendor. If a patch is released prior to that time our general policy is to allow 30 days before disclosure to allow for patch uptake. However, if an exploit or PoC is publicly released independently within that timeline we will publish. In this case, there was an independent researcher on Twitter/X that publicly disclosed a PoC after the patch was released so we published our research to provide more context around the vulnerability.
An attacker can exploit this vulnerability without authentication, to execute arbitrary commands on the Progress WS_FTP server through the deserialization of untrusted data. An attacker must be able to access the WS_FTP web server and the Ad Hoc Transfer application in order to exploit this issue.
An attacker can execute arbitrary commands on the server running WS_FTP, without any authentication.
WS_FTP Server versions prior to 8.7.4 and 8.8.2
WinSock File Transfer Protocol, or WS_FTP, is a secure file transfer software package produced by Ipswitch, Inc. Ipswitch is a Massachusetts-based software producer established in 1991 that focuses on networking and file sharing.
Upgrade to WS_FTP Server 2020.0.4 (8.7.4) or WS_FTP Server 2022.0.2 (8.8.2).
The blog post for this issue can be found here.
Shubham Shah - Assetnote Security Research Team
Sean Yeoh - Assetnote Engineering Lead