Background
WS_FTP Server is a managed file transfer (MFT) product from Progress Software — the same company behind MOVEit Transfer, which was zero-dayed by Cl0p earlier in 2023. WS_FTP has been around for decades and is widely used in regulated industries for secure file transfer, particularly in healthcare, government, and financial services.
CVE-2023-40044 was disclosed and patched in September 2023, around the same time as another critical WS_FTP bug (CVE-2023-42657, a path traversal). The timing was unfortunate — security teams were already stretched from MOVEit, and now another Progress MFT product was critical. Rapid7 published detailed analysis shortly after, and exploitation was observed almost immediately.
Technical Mechanism
WS_FTP Server includes an “Ad Hoc Transfer” module — a web-based interface that allows users to share files without a full FTP client. This module is built on ASP.NET and uses .NET serialization/deserialization for certain operations.
The vulnerability is in how the Ad Hoc Transfer module deserializes .NET objects from HTTP request parameters. Specifically, parameters passed to the .NET HttpRequest object are deserialized without proper type validation.
.NET deserialization vulnerabilities follow a standard pattern:
- An attacker sends an HTTP request to the vulnerable endpoint with a serialized .NET object as a parameter
- The application deserializes the object without validating its type
- By crafting a “gadget chain” — a series of objects that, when deserialized, call arbitrary methods — the attacker can execute OS commands
- Common .NET gadget chains (from tools like ysoserial.net) exploit classes like
ObjectDataProviderorWindowsIdentityto achieve code execution
The exploit requires no authentication — the vulnerable Ad Hoc Transfer endpoint is publicly accessible. The code executes under the IIS application pool identity, which is typically a highly privileged service account on WS_FTP installations.
Real-World Exploitation Evidence
Rapid7 observed active exploitation within hours of publishing their technical analysis. Key findings:
- Ransomware activity — multiple ransomware operators attempted to exploit WS_FTP servers; some successful deployments were observed
- Cl0p ransomware connection — given Cl0p’s prior exploitation of MOVEit Transfer (also a Progress product), security researchers immediately watched for Cl0p activity; while not definitively attributed, the targeting of a second Progress MFT product in the same year is notable
- Mass scanning — Shodan data showed thousands of WS_FTP Ad Hoc Transfer interfaces publicly accessible
- Threat actor interest — multiple initial access broker communities were tracking this vulnerability
The timing — coming just months after the catastrophic MOVEit wave — meant many organisations had already deprioritised WS_FTP patching or weren’t aware they ran it.
Impact Assessment
- Remote code execution as SYSTEM or high-privilege service account — IIS app pools on WS_FTP typically have extensive permissions
- File access — WS_FTP manages file transfers; the server has access to all files configured for transfer
- Ransomware deployment — consistent with targeting of MFT products for data exfiltration and ransomware
- Data exfiltration — MFT servers are specifically designed to hold sensitive data; they’re targeted for this reason
- Compliance violations — a breach of an MFT server handling HIPAA, PCI-DSS, or similar data has immediate regulatory consequences
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| WS_FTP Server | 8.7.3 and earlier (with Ad Hoc Transfer) | 8.7.4 |
| WS_FTP Server | 8.8.x and earlier (with Ad Hoc Transfer) | 8.8.2 |
Note: Only installations with the Ad Hoc Transfer module enabled are vulnerable.
Remediation Steps
- Update WS_FTP Server to version 8.7.4 or 8.8.2 immediately
- If the Ad Hoc Transfer module is not in use, disable it:
- Open WS_FTP Server Manager
- Navigate to Server > Modules
- Disable the Ad Hoc Transfer module
- If immediate patching is not possible, restrict HTTP access to the WS_FTP Server to trusted IP ranges only
- Check IIS logs for POST requests to Ad Hoc Transfer endpoints from unexpected sources
- Review Windows Event Logs for unexpected process spawning from the WS_FTP service account (Event ID 4688)
- Scan for webshells or new files in the WS_FTP web directories
- If compromise is suspected, check for:
- New scheduled tasks or services
- Remote access tool installation (AnyDesk, TeamViewer being abused)
- Lateral movement indicators from the WS_FTP server host
Detection Guidance
IIS logs — look for POST requests to /AHT/AhtApiService.asmx or similar Ad Hoc Transfer endpoints with large base64-encoded parameters. Legitimate use doesn’t typically include serialized .NET objects.
Windows Event Logs:
- Event ID 4688: Process creation showing unexpected child processes of WS_FTP service
- Event ID 7045/4697: New service installation
Suricata signature:
alert http any any -> any $HTTP_PORTS (msg:"Progress WS_FTP CVE-2023-40044 Deserialization Attempt"; flow:established,to_server; http.uri; content:"/AHT/"; http.request_body; content:"AAEAAAD"; classtype:web-application-attack; sid:2034012; rev:1;)Note: AAEAAAD is a common prefix in base64-encoded .NET serialized objects.
Timeline
| Date | Event |
|---|---|
| 27 September 2023 | Progress releases patches for CVE-2023-40044 and CVE-2023-42657 |
| 2 October 2023 | Rapid7 publishes detailed technical analysis |
| October 2023 | Active exploitation observed; ransomware activity detected |
| October 2023 | CISA adds to Known Exploited Vulnerabilities catalogue |
| 2023 | Second major Progress Software MFT vulnerability exploited in-the-wild within one year |