CVE-2023-40044/42657 - Critical RCE Vulnerability WS_FTP Server

This is an advisory only and is not a notification of activity being seen on your network. This advisory is for organizations that use WS-FTP Server to support secure file transfer capabilities.  If your organization does not use this platform, this notification may be discarded.


Progress Software has released hotfixes for its Enterprise WS_FTP server platform to address several vulnerabilities.  The most serious of these vulnerabilities, CVE-2023-40044, could allow an unauthenticated, remote attacker to exploit a .NET deserialization vulnerability present in the Ad Hoc Transfer Module to execute remote commands on the underlying WS-FTP Server’s operating system.  A second critical vulnerability, CVE-2023-42657, could allow an attacker to perform file operations on files and folders outside of their authorized WS-FTP folder path or on the underlying operating system. 

Critical Vulnerabilities

CVE-2023-40044 – Remote Code Execution .NET deserialization vulnerability

                CVSSv3: 10.0

CVE-2023-42657 – Directory Traversal Vulnerability

                CVSSv3: 9.9

Other Vulnerabilities


                CVSSv3: 8.3


                CVSSv3: 8.2


                CVSSv3: 8.3


                CVSSv3: 6.8


                CVSSv3: 6.1


                CVSSv3: 5.3 

Affected Versions

  • All versions prior to WS_FTP Server 2020.0.4 (8.7.4)
  • All versions prior to WS_FTP Server 2022.0.2 (8.8.2) 


  • Upgrade to WS_FTP Server 2020.0.4 (8.7.4)
  • Upgrade to WS_FTP Server 2022.0.2 (8.8.2)

If the Ad Hoc Module IS installed and you are unable to patch, the Ad Hoc Transfer Module may be disabled if it is not in use.

Additional Resources