CVE-2024-9999
📋 TL;DR
This vulnerability allows attackers to bypass two-factor authentication in WS_FTP Server's Web Transfer Module. Users can log in with only username and password, skipping the required second verification factor. Organizations using affected WS_FTP Server versions are impacted.
💻 Affected Systems
- WS_FTP Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain unauthorized access to sensitive files and data, potentially leading to data theft, modification, or deletion of critical information.
Likely Case
Unauthorized users access FTP resources they shouldn't have permission to view or download, compromising data confidentiality.
If Mitigated
With proper network segmentation and monitoring, impact is limited to the FTP server itself with no lateral movement to other systems.
🎯 Exploit Status
Exploitation requires valid username and password credentials but bypasses the second authentication factor.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.8.9 (2022.0.9) or later
Vendor Advisory: https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-November-2024
Restart Required: Yes
Instructions:
1. Download WS_FTP Server version 8.8.9 or later from Progress website. 2. Backup current configuration. 3. Run installer to upgrade. 4. Restart WS_FTP Server service. 5. Verify authentication works correctly with 2FA.
🔧 Temporary Workarounds
Disable Web Transfer Module
windowsTemporarily disable the vulnerable Web Transfer Module until patching is possible
Stop WS_FTP Server Web Transfer service
Network Access Control
allRestrict access to WS_FTP Server to trusted IP addresses only
Configure firewall rules to limit inbound connections
🧯 If You Can't Patch
- Implement strict network segmentation to isolate WS_FTP Server from sensitive systems
- Enable detailed authentication logging and monitor for suspicious login attempts
🔍 How to Verify
Check if Vulnerable:
Check WS_FTP Server version in administration console or via installed programs listCheck Version:
Check WS_FTP Server About dialog or installed programs list for version numberVerify Fix Applied:
Test two-factor authentication login process to confirm both factors are required📡 Detection & Monitoring
Log Indicators:
- Successful logins without second-factor verification
- Multiple failed 2FA attempts followed by successful login
Network Indicators:
- Unusual authentication patterns to WS_FTP Server
- Access from unexpected IP addresses
SIEM Query:
source="ws_ftp_logs" AND (event="login_success" AND NOT event="2fa_success")