On September 27, 2023, Progress Software disclosed multiple critical vulnerabilities in WS_FTP Server, their enterprise file transfer platform. The most severe, CVE-2023-40044, was a .NET deserialization vulnerability in the Ad Hoc Transfer module that allowed pre-authentication remote code execution. It received a CVSS score of 10.0, the maximum possible.
The timing was particularly notable. Progress Software was the same vendor behind MOVEit Transfer, whose zero-day exploitation by the Clop ransomware gang had affected over 2,500 organizations just months earlier. Now, another Progress file transfer product had a maximum-severity vulnerability. For organizations that had spent the summer dealing with MOVEit fallout, the WS_FTP disclosure was an unwelcome reminder that the managed file transfer category had a deep and persistent security problem.
The Vulnerability
CVE-2023-40044 was a .NET deserialization vulnerability in WS_FTP Server's Ad Hoc Transfer module. The module allows users to send files through a web interface without requiring an FTP client. The vulnerability existed in how the module deserialized certain data, allowing an attacker to send a crafted request that would be deserialized and execute arbitrary code on the server.
Deserialization vulnerabilities in .NET applications follow a well-understood pattern. The .NET serialization framework allows objects to be converted to and from binary or text representations. If an application deserializes data from an untrusted source, an attacker can craft a serialized object that triggers code execution when it's deserialized. Tools like ysoserial.net provide ready-made payload generators for .NET deserialization attacks.
The vulnerability required no authentication and could be exploited through the web interface. Any WS_FTP Server with the Ad Hoc Transfer module enabled and accessible from the attacker's network was vulnerable.
In addition to CVE-2023-40044, Progress disclosed seven other vulnerabilities in WS_FTP Server, including a directory traversal (CVE-2023-42657, CVSS 9.9) and several cross-site scripting, SQL injection, and cross-site request forgery issues.
Immediate Exploitation
Proof-of-concept exploit code was available within days of disclosure. Security researchers at Assetnote, who discovered the vulnerability, published a detailed technical analysis. Rapid7 observed exploitation attempts in the wild beginning October 1, just four days after disclosure.
The exploitation attempts included deployment of webshells on compromised servers, ransomware deployment attempts, and reconnaissance activity consistent with initial access brokering.
The speed of exploitation was unsurprising given the CVSS 10.0 rating and the availability of .NET deserialization tools. The vulnerability was straightforward to exploit for anyone familiar with .NET deserialization attacks.
The File Transfer Platform Pattern
CVE-2023-40044 was the latest in a series of critical vulnerabilities affecting managed file transfer platforms in 2023.
GoAnywhere MFT (CVE-2023-0669). Pre-auth RCE exploited by Clop starting February 2023. Over 130 organizations compromised.
MOVEit Transfer (CVE-2023-34362). SQL injection leading to RCE, exploited by Clop starting May 2023. Over 2,500 organizations affected. Estimated financial impact in the billions.
WS_FTP Server (CVE-2023-40044). Pre-auth deserialization RCE disclosed September 2023.
Three critical vulnerabilities in three different file transfer platforms from two vendors in a single year. The pattern was clear: managed file transfer platforms as a category had a serious security debt.
The reasons were structural. MFT platforms are designed to be accessible from the internet. They handle sensitive files, making them high-value targets. Their codebases are often old, predating modern secure development practices. They have complex functionality including file handling, user management, scheduling, and notifications that creates a large attack surface.
The Progress Software Question
Progress Software now had two of its file transfer products exploited in the same year. MOVEit Transfer had become one of the most consequential software vulnerabilities of 2023, and now WS_FTP had a maximum-severity flaw.
For Progress customers, this raised difficult questions. Is the vendor's development methodology producing secure code? Are there systemic issues in Progress's codebase that will continue to produce vulnerabilities? Should organizations be looking at alternatives?
These questions don't have simple answers. Every software vendor has vulnerabilities. But the severity, frequency, and exploitation of vulnerabilities in Progress's file transfer products warranted a risk reassessment.
Remediation
Progress released WS_FTP Server version 8.8.2 to address all disclosed vulnerabilities. For organizations that couldn't immediately patch, the primary mitigation was disabling the Ad Hoc Transfer module if it wasn't needed, which eliminated the primary attack surface for CVE-2023-40044.
For organizations that had WS_FTP servers exposed to the internet, the patch needed to be treated as an emergency. The combination of a CVSS 10.0 score, available exploit code, and active exploitation in the wild left no room for standard patch management timelines.
Post-patching, organizations needed to review their WS_FTP servers for indicators of compromise, particularly webshells or unauthorized user accounts. Given the speed of exploitation, organizations that were exposed for even a few days should assume potential compromise and investigate accordingly.
How Safeguard.sh Helps
Safeguard.sh helps organizations maintain awareness of their exposure to vulnerabilities like CVE-2023-40044 through continuous monitoring and SBOM tracking. When critical vulnerabilities are disclosed in enterprise software, knowing immediately whether you're running affected versions is the difference between proactive patching and reactive incident response. Our platform's policy gates enforce security baselines that include infrastructure components, not just application code. When file transfer platforms repeatedly prove to be high-risk components, Safeguard.sh ensures that risk is visible and managed rather than hidden in a corner of the infrastructure that nobody monitors.