In WS_FTP Server versions before 8.8.9 (2022.0.9), an Incorrect Implementation of Authentication Algorithm in the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only.
The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.