CVE-2024-9999: 
WS_FTP Server vulnerability analysis and mitigation

CVE-2024-9999 affects WS_FTP Server versions before 8.8.9 (2022.0.9). The vulnerability was discovered and disclosed in November 2024, involving an incorrect implementation of authentication algorithm in the Web Transfer Module. This security flaw allows users to bypass second-factor verification and authenticate using only username and password (NVD).

The vulnerability is classified as an Incorrect Implementation of Authentication Algorithm (CWE-303). The issue specifically affects the Web Transfer Module's authentication mechanism. The CVSS v3.1 base score is 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N, indicating network accessibility with high privileges required (NVD).

The vulnerability allows attackers to bypass the two-factor authentication mechanism, potentially gaining unauthorized access to the WS_FTP Server using only username and password credentials. This could lead to unauthorized file access and transfer capabilities within the system (NVD).

Users are advised to upgrade to WS_FTP Server version 8.8.9 (2022.0.9) or later to address this vulnerability. The fix has been included in the November 2024 service pack (Progress Community).