CVE-2023-40044

CVE-2023-40044 is a critical-severity vulnerability in Progress Ws Ftp Server with a CVSS 3.x base score of 10.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-10-05). The underlying weakness is classified as CWE-502.

Key facts

Description

In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.

CVE-2023-40044: WS_FTP Server .NET Deserialization RCE

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2023-40044
CVSS 3.1 10.0 (Critical)
EPSS 0.9015
KEV 2023-10-05
CWE CWE-502

Summary

A .NET deserialization vulnerability in the WS_FTP Server Ad Hoc Transfer module allows pre-authenticated remote command execution on the underlying operating system.

Background

WS_FTP Server is a managed file transfer server that includes an Ad Hoc Transfer module for browser-based file transfers. The Ad Hoc Transfer module exposes functionality that processes serialized .NET objects, providing a pathway for remote code execution when those objects are not properly validated.

Root Cause

The vulnerability is classified as CWE-502: Deserialization of Untrusted Data. The Ad Hoc Transfer module accepts and deserializes .NET objects from remote sources without adequate type validation or restrictions. When an attacker supplies a malicious serialized object containing gadget chains, the deserialization process triggers arbitrary code execution within the application context.

Impact

With a CVSS 3.1 score of 10.0 (Critical), this vulnerability is network-exploitable without authentication or user interaction. The attack vector metrics are:

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
  • Confidentiality: High
  • Integrity: High
  • Availability: High

The changed scope indicates that a successful compromise of the WS_FTP Server process can impact resources beyond the vulnerable component, such as the underlying host operating system.

Exploitation Walkthrough

Ethics Note: The following is a defensive, high-level description for detection and mitigation purposes only. No working exploit code is provided.

An attacker can reach the Ad Hoc Transfer module endpoint over the network and submit a crafted payload that exploits unsafe .NET deserialization. Because the flaw is pre-authenticated, the attacker does not need valid credentials. The payload leverages known .NET deserialization gadget chains to coerce the server into executing operating system commands. In practice, this has been observed leading to full system compromise, including remote shell access and lateral movement.

Affected and Patched Versions

Per the available source data, WS_FTP Server versions prior to 8.7.4 and 8.8.2 are affected. Administrators should consult the vendor's security advisory for the specific patch paths and release notes.

Remediation

  1. Upgrade immediately to WS_FTP Server 8.7.4 or 8.8.2 (or later), as provided by the vendor.
  2. Disable the Ad Hoc Transfer module if it is not required for business operations, eliminating the attack surface entirely.
  3. Apply network segmentation to restrict access to the WS_FTP Server management and Ad Hoc Transfer interfaces to authorized hosts only.
  4. Review compensating controls such as Web Application Firewall (WAF) rules that detect anomalous serialized payload patterns, though these should not be considered a complete substitute for patching.

Detection

  • Monitor web server logs for unusual POST requests to Ad Hoc Transfer module endpoints containing large or encoded payloads.
  • Look for unexpected child processes spawned by the WS_FTP Server worker process (e.g., cmd.exe, powershell.exe, or similar on Windows).
  • Correlate endpoint telemetry with known indicators of compromise associated with this vulnerability.
  • Review connections from unexpected source IPs to the WS_FTP Server Ad Hoc Transfer interface.

Assessment

With an EPSS score of 0.9015 (99.78th percentile) and Known Exploited Vulnerability (KEV) status confirmed as of 2023-10-05, this flaw is under active, widespread exploitation in the wild. The critical CVSS score and pre-authenticated nature make it a high-priority patching target.

Key takeaways:

  • Deserialization of untrusted data remains a critical, commonly-exploited weakness in .NET applications.
  • Pre-authentication remote code execution in file-transfer infrastructure is a prime target for ransomware and data-exfiltration groups.

References

Frequently asked questions

What is CVE-2023-40044?
In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.
How severe is CVE-2023-40044?
CVE-2023-40044 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2023-40044 being actively exploited?
Yes. CVE-2023-40044 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-10-05, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2023-40044?
CVE-2023-40044 affects Progress Ws Ftp Server. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2023-40044?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2023-40044 have an EU (EUVD) identifier?
Yes. CVE-2023-40044 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-44651. It is also flagged as exploited in the EUVD (since 2023-10-05).
When was CVE-2023-40044 published?
CVE-2023-40044 was published on 2023-09-27 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Progress Ws Ftp Server

All CVEs affecting Progress Ws Ftp Server →

Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities

Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →