CVE-2023-40044 Overview
CVE-2023-40044 is a critical insecure deserialization vulnerability affecting Progress WS_FTP Server that allows pre-authenticated attackers to execute arbitrary remote commands on the underlying operating system. The vulnerability exists in the Ad Hoc Transfer module and stems from improper handling of .NET deserialization operations, enabling attackers to craft malicious serialized objects that execute system-level commands when processed by the server.
Critical Impact
This vulnerability is actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Pre-authenticated remote code execution capability makes this an extremely high-priority security issue for organizations running vulnerable WS_FTP Server instances.
Affected Products
- Progress WS_FTP Server versions prior to 8.7.4
- Progress WS_FTP Server versions prior to 8.8.2
- WS_FTP Server installations with the Ad Hoc Transfer module enabled
Discovery Timeline
- September 27, 2023 - CVE-2023-40044 published to NVD
- October 31, 2025 - Last updated in NVD database
Technical Details for CVE-2023-40044
Vulnerability Analysis
CVE-2023-40044 represents a severe security flaw in the WS_FTP Server's Ad Hoc Transfer module. The vulnerability leverages .NET deserialization weaknesses that allow an attacker to submit specially crafted serialized objects through network requests. When the vulnerable IIS HTTP module processes these malicious payloads, it deserializes the objects without proper validation, leading to arbitrary code execution in the context of the WS_FTP Server process.
The attack can be executed without authentication, significantly lowering the barrier for exploitation. Due to the nature of .NET deserialization attacks, successful exploitation grants attackers the ability to execute commands with the same privileges as the WS_FTP Server service, potentially leading to complete system compromise.
Root Cause
The root cause of CVE-2023-40044 is classified as CWE-502: Deserialization of Untrusted Data. The Ad Hoc Transfer module in WS_FTP Server processes serialized .NET objects from user-supplied input without adequate validation or sanitization. This allows attackers to inject malicious serialized objects that, when deserialized by the application, execute arbitrary code or commands.
The vulnerability specifically manifests in IIS HTTP modules used by the Ad Hoc Transfer feature, where the deserialization process trusts input data implicitly, allowing object instantiation and method invocation based on attacker-controlled data.
Attack Vector
The attack vector for CVE-2023-40044 is network-based and requires no authentication, making it highly accessible to remote attackers. An attacker can target exposed WS_FTP Server instances over the network by sending crafted HTTP requests to the Ad Hoc Transfer module endpoints.
The exploitation process involves constructing a malicious .NET serialized payload designed to trigger code execution during deserialization. Common .NET deserialization gadget chains can be leveraged to achieve remote command execution on the underlying Windows operating system hosting the WS_FTP Server.
For detailed technical analysis of the exploitation technique, refer to the Assetnote Research on WS FTP RCE publication that documents the vulnerability mechanism through IIS HTTP modules.
Detection Methods for CVE-2023-40044
Indicators of Compromise
- Unusual HTTP POST requests to Ad Hoc Transfer module endpoints containing Base64-encoded or serialized .NET object payloads
- Unexpected child processes spawned by w3wp.exe (IIS worker process) or WS_FTP Server processes
- Command execution artifacts such as cmd.exe, powershell.exe, or certutil.exe invoked from IIS application pool contexts
- Network connections from WS_FTP Server to unknown external IP addresses indicating potential command and control activity
Detection Strategies
- Monitor IIS logs for anomalous requests to WS_FTP Ad Hoc Transfer endpoints, particularly those with unusually large request bodies or suspicious content types
- Implement endpoint detection rules to alert on .NET deserialization gadget patterns such as ObjectDataProvider, TypeConfuseDelegate, or similar known exploitation payloads
- Deploy network intrusion detection signatures to identify serialized .NET object traffic targeting WS_FTP Server ports
- Enable process creation auditing to detect unauthorized command execution originating from IIS worker processes
Monitoring Recommendations
- Enable verbose logging on WS_FTP Server and IIS to capture detailed request information for forensic analysis
- Implement real-time alerting for any code execution attempts detected on systems running WS_FTP Server
- Monitor network traffic for connections to known malicious infrastructure or unusual outbound connections from file transfer servers
- Regularly review system process trees to identify suspicious process hierarchies indicating exploitation attempts
How to Mitigate CVE-2023-40044
Immediate Actions Required
- Upgrade WS_FTP Server to version 8.7.4 or 8.8.2 (or later) immediately to remediate this vulnerability
- If immediate patching is not possible, disable the Ad Hoc Transfer module to eliminate the vulnerable attack surface
- Isolate WS_FTP Server systems from untrusted networks and restrict access to authorized IP addresses only
- Review system logs for indicators of compromise and conduct forensic analysis if exploitation is suspected
- Report confirmed exploitation to CISA as this vulnerability is on the Known Exploited Vulnerabilities catalog
Patch Information
Progress Software has released security patches addressing CVE-2023-40044 in WS_FTP Server versions 8.7.4 and 8.8.2. Organizations should consult the Progress Security Article on WS FTP for official patch download links and installation guidance. The patches address the insecure deserialization vulnerability in the Ad Hoc Transfer module by implementing proper input validation and restricting object types that can be deserialized.
Workarounds
- Disable the Ad Hoc Transfer module in WS_FTP Server configuration if the feature is not required for business operations
- Implement network segmentation to restrict access to WS_FTP Server from untrusted networks
- Deploy a Web Application Firewall (WAF) with rules to block .NET deserialization attack patterns
- Use network access control lists (ACLs) to limit connectivity to WS_FTP Server to known authorized IP addresses only
# Verify WS_FTP Server version and check for vulnerable installations
# Check installed version from Program Files
dir "C:\Program Files\WS_FTP Server\"
# Review IIS application pool configuration for WS_FTP
%windir%\system32\inetsrv\appcmd list apppool
# Check if Ad Hoc Transfer module is enabled in configuration
# Location may vary based on installation
type "C:\Program Files\WS_FTP Server\*config*" | findstr /i "adhoc"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
