CVE-2023-40044
CVE-2023-40044 is a critical-severity vulnerability in Progress Ws Ftp Server with a CVSS 3.x base score of 10.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-10-05). The underlying weakness is classified as CWE-502.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- EPSS exploit prediction: 90% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2023-10-05)
- EU (EUVD) id: EUVD-2023-44651
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2023-10-05)
- Weakness: CWE-502
- Affected product: Progress Ws Ftp Server
- Published:
- Last modified:
Description
In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.
CVE-2023-40044: WS_FTP Server .NET Deserialization RCE
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2023-40044 |
| CVSS 3.1 | 10.0 (Critical) |
| EPSS | 0.9015 |
| KEV | 2023-10-05 |
| CWE | CWE-502 |
Summary
A .NET deserialization vulnerability in the WS_FTP Server Ad Hoc Transfer module allows pre-authenticated remote command execution on the underlying operating system.
Background
WS_FTP Server is a managed file transfer server that includes an Ad Hoc Transfer module for browser-based file transfers. The Ad Hoc Transfer module exposes functionality that processes serialized .NET objects, providing a pathway for remote code execution when those objects are not properly validated.
Root Cause
The vulnerability is classified as CWE-502: Deserialization of Untrusted Data. The Ad Hoc Transfer module accepts and deserializes .NET objects from remote sources without adequate type validation or restrictions. When an attacker supplies a malicious serialized object containing gadget chains, the deserialization process triggers arbitrary code execution within the application context.
Impact
With a CVSS 3.1 score of 10.0 (Critical), this vulnerability is network-exploitable without authentication or user interaction. The attack vector metrics are:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Confidentiality: High
- Integrity: High
- Availability: High
The changed scope indicates that a successful compromise of the WS_FTP Server process can impact resources beyond the vulnerable component, such as the underlying host operating system.
Exploitation Walkthrough
Ethics Note: The following is a defensive, high-level description for detection and mitigation purposes only. No working exploit code is provided.
An attacker can reach the Ad Hoc Transfer module endpoint over the network and submit a crafted payload that exploits unsafe .NET deserialization. Because the flaw is pre-authenticated, the attacker does not need valid credentials. The payload leverages known .NET deserialization gadget chains to coerce the server into executing operating system commands. In practice, this has been observed leading to full system compromise, including remote shell access and lateral movement.
Affected and Patched Versions
Per the available source data, WS_FTP Server versions prior to 8.7.4 and 8.8.2 are affected. Administrators should consult the vendor's security advisory for the specific patch paths and release notes.
Remediation
- Upgrade immediately to WS_FTP Server 8.7.4 or 8.8.2 (or later), as provided by the vendor.
- Disable the Ad Hoc Transfer module if it is not required for business operations, eliminating the attack surface entirely.
- Apply network segmentation to restrict access to the WS_FTP Server management and Ad Hoc Transfer interfaces to authorized hosts only.
- Review compensating controls such as Web Application Firewall (WAF) rules that detect anomalous serialized payload patterns, though these should not be considered a complete substitute for patching.
Detection
- Monitor web server logs for unusual
POSTrequests to Ad Hoc Transfer module endpoints containing large or encoded payloads. - Look for unexpected child processes spawned by the WS_FTP Server worker process (e.g.,
cmd.exe,powershell.exe, or similar on Windows). - Correlate endpoint telemetry with known indicators of compromise associated with this vulnerability.
- Review connections from unexpected source IPs to the WS_FTP Server Ad Hoc Transfer interface.
Assessment
With an EPSS score of 0.9015 (99.78th percentile) and Known Exploited Vulnerability (KEV) status confirmed as of 2023-10-05, this flaw is under active, widespread exploitation in the wild. The critical CVSS score and pre-authenticated nature make it a high-priority patching target.
Key takeaways:
- Deserialization of untrusted data remains a critical, commonly-exploited weakness in .NET applications.
- Pre-authentication remote code execution in file-transfer infrastructure is a prime target for ransomware and data-exfiltration groups.
References
- http://packetstormsecurity.com/files/174917/Progress-Software-WS_FTP-Unauthenticated-Remote-Code-Execution.html
- https://attackerkb.com/topics/bn32f9sNax/cve-2023-40044
- https://censys.com/cve-2023-40044/
- https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023
- https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044
- https://www.progress.com/ws_ftp
- https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/
- https://www.theregister.com/2023/10/02/ws_ftp_update/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-40044
Frequently asked questions
- What is CVE-2023-40044?
- In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.
- How severe is CVE-2023-40044?
- CVE-2023-40044 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2023-40044 being actively exploited?
- Yes. CVE-2023-40044 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-10-05, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2023-40044?
- CVE-2023-40044 affects Progress Ws Ftp Server. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-40044?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2023-40044 have an EU (EUVD) identifier?
- Yes. CVE-2023-40044 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-44651. It is also flagged as exploited in the EUVD (since 2023-10-05).
- When was CVE-2023-40044 published?
- CVE-2023-40044 was published on 2023-09-27 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/174917/Progress-Software-WS_FTP-Unauthenticated-Remote-Code-Execution.html
- https://attackerkb.com/topics/bn32f9sNax/cve-2023-40044
- https://censys.com/cve-2023-40044/
- https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023
- https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044
- https://www.progress.com/ws_ftp
- https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/
- https://www.theregister.com/2023/10/02/ws_ftp_update/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-40044
Affected products (1)
- cpe:2.3:a:progress:ws_ftp_server:*:*:*:*:*:*:*:*
More vulnerabilities in Progress Ws Ftp Server
- CVE-2023-42657 — Critical (CVSS 9.9): In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a directory traversal vulnerability was discovered. An attacker…
- CVE-2023-42659 — Critical (CVSS 9.1): In WS_FTP Server versions prior to 8.7.6 and 8.8.4, an unrestricted file upload flaw has been identified. An…
- CVE-2008-0590 — Critical (CVSS 9.0): Buffer overflow in Ipswitch WS_FTP Server with SSH 6.1.0.0 allows remote authenticated users to cause a denial of…
- CVE-2023-40047 — High (CVSS 8.3): In WS_FTP Server version prior to 8.8.2, a stored cross-site scripting (XSS) vulnerability exists in WS_FTP Server's…
- CVE-2023-40045 — High (CVSS 8.3): In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a reflected cross-site scripting (XSS) vulnerability exists in…
- CVE-2023-40046 — High (CVSS 8.2): In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a SQL injection vulnerability exists in the WS_FTP Server manager…
All CVEs affecting Progress Ws Ftp Server →
Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities
- CVE-2026-41104 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose…
- CVE-2026-43633 — Critical (CVSS 10.0): HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a…
- CVE-2026-33819 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
- CVE-2026-20131 — Critical (CVSS 10.0): A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could…
- CVE-2026-25632 — Critical (CVSS 10.0): EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water…
- CVE-2025-14931 — Critical (CVSS 10.0): Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability.…
Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →