CVE-2014-2735

Name of the Vulnerable Software and Affected Versions WinSCP versions prior to 5.5.3

Description The issue arises when using FTP with TLS, as it fails to verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. This allows attackers to potentially spoof SSL servers via an arbitrary valid certificate.

Recommendations For versions prior to 5.5.3, update to version 5.5.3 or later to resolve the issue. As a temporary workaround, consider disabling the use of FTP with TLS until the update is applied. Restrict access to sensitive data and servers to minimize the risk of exploitation.