Cyber Resilience

CVE-2023-40044

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linkedRCE

Published: 27 September 2023

Published
27 September 2023
Modified
31 October 2025
KEV Added
05 October 2023
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9444 100.0th percentile
Risk Priority 97 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-40044 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Progress Ws Ftp Server. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-40044 is a .NET deserialization vulnerability (CWE-502) affecting the Ad Hoc Transfer module in WS_FTP Server versions prior to 8.7.4 and 8.8.2. The flaw carries a CVSS 3.1 score of 10.0 and permits unauthenticated remote code execution on the underlying operating system.

An attacker with network access can send a crafted request to the affected module before authentication, triggering deserialization that results in arbitrary command execution with the privileges of the WS_FTP Server process. The attack requires no user interaction and can impact confidentiality, integrity, and availability across the host.

Vendor guidance from Progress Software directs customers to upgrade to the fixed releases 8.7.4 or 8.8.2; public exploit code and detailed technical analyses have been published on Packet Storm and by Assetnote, while Censys and AttackerKB provide additional exposure and exploitation context. The associated EPSS score remains near its peak of 0.9445.

EU & UK References

Vulnerability details

In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.

CWE(s)
KEV Date Added
05 October 2023

Related Threats

Threat-Actor AttributionAI

Cl0p
CISA KEV lists CVE-2023-40044 as ransomware-used; public reporting (Mandiant, Rapid7, Progress) attributes mass exploitation to Cl0p in Sept-Oct 2023.

Affected Assets

progress
ws ftp server
≤ 8.7.4 · 8.8 — 8.8.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor-supplied patches (8.7.4/8.8.2) that eliminate the .NET deserialization flaw in the Ad Hoc Transfer module.

prevent

Enforces validation of untrusted serialized input before .NET deserialization occurs, blocking the crafted object that triggers RCE.

prevent

Limits privileges of the WS_FTP Server process so that even successful deserialization-based command execution yields reduced system impact.

References