CVE-2023-40044 CRITICAL

CVE-2023-40044: WS_FTP Server Ad Hoc Transfer Module .NET Deserialization Vulnerability

Vendor Progress Software Corporation

Product WS_FTP Server

Weakness CWE-502 · Unsafe deserialization

KEV Status Known Exploited

Ransomware Used in campaigns

Published September 27, 2023

Last update October 21, 2025

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Key dates

03Disclosure timeline

September 27, 2023 CVE published

October 21, 2025 Record updated

External resources

04References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-40044 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/502.html CISA KEV Reference https://community.progress.com/s/article/WS-FTP-Server-Critica… CISA KEV Reference https://nvd.nist.gov/vuln/detail/CVE-2023-40044

Related vulnerabilities

Identifiers

CVE CVE-2023-40044

CWE CWE-502

CVSS 10.0 / CRITICAL

Affected versions

Vendor Progress Software Corporation

Product WS_FTP Server

Affected ≥ 8.8.0 and < 8.8.2

Vendor Progress Software Corporation

Product WS_FTP Server

Affected ≥ 8.7.0 and < 8.7.4

CVE-2023-40044: WS_FTP Server Ad Hoc Transfer Module .NET Deserialization Vulnerability

01Description

02CISA Required Action

03Disclosure timeline

04References

05Related CVE