Progress Software has released hotfixes for its WSFTP product to address a critical security vulnerability [3]. This flaw, tracked as CVE-2023-40044 [5], has a CVSS score of 10.0 [5], indicating maximum severity [5]. It affects the WSFTP Server Ad hoc Transfer Module and the WS_FTP Server manager interface [5].


The vulnerability allows an unauthenticated [2] [3] [4], remote attacker to exploit a .NET deserialization vulnerability in the Ad Hoc Transfer Module to execute remote commands on the underlying WS-FTP Server’s operating system [3]. This enables pre-authenticated remote code execution (RCE) without user interaction [1]. Additionally, there is a directory traversal flaw [1], known as CVE-2023-42657, that enables unauthorized file operations [1]. It allows an attacker to perform file operations on files and folders outside of their authorized WS-FTP folder path or on the underlying operating system [3].

Progress Software has remediated these vulnerabilities and recommends upgrading to the latest version (8.8.2) to mitigate the risks. It is important to note that the upgrade will require a system outage. The company has not observed any signs of exploit activity targeting these vulnerabilities [1]. More information can be found on the Progress Software website [4].


The release of hotfixes by Progress Software addresses the critical security vulnerability in its WS_FTP product. By upgrading to the latest version [2] [4], users can mitigate the risks associated with the .NET deserialization vulnerability and the directory traversal flaw. Although the upgrade may cause a system outage, it is necessary to ensure the security of the WS-FTP Server. Progress Software has not detected any exploit activity targeting these vulnerabilities. For further details, please refer to the Progress Software website [4].