CVE-2023-40044

What is Progress WS_FTP Server?

Progress WS_FTP Server is a widely used enterprise file transfer server for Windows, providing FTP, FTPS, SFTP, SCP, and HTTP-based file transfer capabilities. The Ad Hoc Transfer module is a web-based component (built on ASP.NET) that allows users to send files via web browser through a portal hosted on the WS_FTP Server. Organizations in healthcare, finance, government, and manufacturing use WS_FTP Server for managed file transfer (MFT) — often to transfer regulated data (PHI, PII, financial records) that cannot be sent via email. Progress WS_FTP was targeted by ransomware operators in the same pattern as the MOVEit Transfer campaign from the same period.

Overview

CVE-2023-40044 is a CVSS 10.0 pre-authentication .NET deserialization vulnerability in the Progress WS_FTP Server Ad Hoc Transfer module, enabling unauthenticated remote code execution as SYSTEM on Windows. Progress Software patched it on September 27, 2023; Rapid7 published a PoC two days later; and mass exploitation by ransomware operators began within days. CISA added it to KEV on October 5. The vulnerability emerged in a period of intense focus on enterprise file transfer platforms — MOVEit Transfer had been mass-exploited by Cl0p ransomware just months earlier, and attackers were actively hunting similar vulnerabilities in competing products.

Affected Versions

Technical Details

CWE-502 (Deserialization of Untrusted Data). The WS_FTP Server Ad Hoc Transfer module is an ASP.NET web application. A .NET deserialization vulnerability in the module's request handling allows an unauthenticated attacker to send a crafted HTTP request containing a malicious serialized .NET object. When the ASP.NET runtime deserializes the object, attacker-controlled code executes on the server.

The IIS/ASP.NET process running WS_FTP Server typically operates with SYSTEM-level privileges on Windows, meaning the deserialized code executes as SYSTEM — the highest privilege level on Windows. This provides the attacker with complete control of the WS_FTP Server host and access to all files transferred through or stored on the server.

The Scope Changed (S:C) rating reflects that the impact extends beyond the WS_FTP process to all resources accessible by the SYSTEM account on the Windows host.

Discovery

Discovered and reported to Progress Software by Assetnote security researchers Shubham Shah and Adam Kues, along with Rapid7's research team. Rapid7 published a detailed PoC and technical analysis on September 29, two days after the patch, enabling rapid exploitation by attackers who could follow the disclosed technique.

Exploitation Context

Following Rapid7's public PoC, Huntress Labs documented widespread attacks against WS_FTP Server instances beginning October 1. Multiple ransomware groups incorporated CVE-2023-40044 into initial access campaigns — using WS_FTP admin access to harvest files (data theft) and as a pivot point for broader network compromise and ransomware deployment. The attack pattern followed Cl0p's summer 2023 MOVEit campaign: identify an enterprise file transfer product vulnerability, exploit it rapidly before patching, harvest data from transfer queues and storage, and extort organizations.

Remediation

1. Upgrade WS_FTP Server to version 8.8.2 or later immediately.
2. If the Ad Hoc Transfer module is not needed, disable it as a defense-in-depth measure (even after patching).
3. Review WS_FTP Server transfer logs and web access logs for the period September 27 – October 5, 2023 (and after) for unauthorized access or file transfers.
4. Check the WS_FTP Server host for signs of post-exploitation: unexpected processes, new user accounts, web shells, scheduled tasks, or evidence of lateral movement tools.
5. Rotate all credentials stored in WS_FTP Server configuration and any credentials transmitted through WS_FTP during the vulnerable period.
6. Restrict WS_FTP Server's web interface (HTTP/HTTPS) access to authenticated users via VPN or IP allowlist — the Ad Hoc Transfer portal should not be publicly internet-accessible.