CVE-2023-40044
Published: 27 September 2023
Summary
CVE-2023-40044 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Progress Ws Ftp Server. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-40044 is a .NET deserialization vulnerability (CWE-502) affecting the Ad Hoc Transfer module in WS_FTP Server versions prior to 8.7.4 and 8.8.2. The flaw carries a CVSS 3.1 score of 10.0 and permits unauthenticated remote code execution on the underlying operating system.
An attacker with network access can send a crafted request to the affected module before authentication, triggering deserialization that results in arbitrary command execution with the privileges of the WS_FTP Server process. The attack requires no user interaction and can impact confidentiality, integrity, and availability across the host.
Vendor guidance from Progress Software directs customers to upgrade to the fixed releases 8.7.4 or 8.8.2; public exploit code and detailed technical analyses have been published on Packet Storm and by Assetnote, while Censys and AttackerKB provide additional exposure and exploitation context. The associated EPSS score remains near its peak of 0.9445.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-44651
Vulnerability details
In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.
- CWE(s)
- KEV Date Added
- 05 October 2023
Related Threats
Threat-Actor AttributionAI
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor-supplied patches (8.7.4/8.8.2) that eliminate the .NET deserialization flaw in the Ad Hoc Transfer module.
Enforces validation of untrusted serialized input before .NET deserialization occurs, blocking the crafted object that triggers RCE.
Limits privileges of the WS_FTP Server process so that even successful deserialization-based command execution yields reduced system impact.