The cybersecurity landscape witnessed a rapid escalation in exploitation activity on October 13, 2023, as ransomware operators began targeting unpatched WS_FTP Server installations across enterprise environments. The vulnerability, tracked as CVE-2023-40044, represents a critical .NET deserialization flaw in the Ad Hoc Transfer Module that enables remote code execution with a single HTTPS POST request.
The Exploit Mechanics
The vulnerability resides in the MyFileUpload.UploadModule component of WS_FTP Server software, built by Progress Software. Security researchers from Assetnote discovered the flaw, which had apparently existed for approximately 15 years before identification. The exploitation path is alarmingly straightforward: an attacker can achieve remote code execution by sending a crafted HTTPS POST request to any URI within the Ad Hoc Transfer module for person-to-person file sharing.
Once initial access is established, the attack chain proceeds through multiple stages. It begins with an IIS component that triggers PowerShell scripts, which then deploy the open-source GodPotato privilege escalation tool. The final stage delivers a ransomware executable compiled from the leaked LockBit 3.0 source code, also known as LockBit Black. The threat actors, calling themselves the Reichsadler Cybercrime Group, demand roughly $500 in Bitcoin from their targets.
Affected Systems
According to Shodan scans conducted on October 13, nearly 2,000 servers running WS_FTP had their web servers exposed to the internet. This exposure is a prerequisite for exploitation, as the vulnerability requires the web-facing Ad Hoc Transfer module to be accessible. The majority of these installations belong to large enterprises, government agencies, and educational institutions — organizations that typically handle sensitive data transfers.
Progress Software, the Burlington, Massachusetts-based vendor, released a patch on September 27, 2023, updating the software to versions 8.7.5 or 8.8.3. However, the patch required a complete reinstallation rather than a simple update, slowing deployment across affected organizations. The vendor confirmed that eight separate vulnerabilities were addressed, including two rated critical, three high severity, and three medium severity.
The Mitigation Strategy
Security firm Sophos observed attack attempts against customer environments and reported that behavioral detection rules successfully blocked the ransomware download. The detection triggered when a suspicious script made an outbound connection to a high-risk IP address. Organizations running WS_FTP Server should immediately upgrade to version 8.7.5 or 8.8.3, as the vendor has confirmed no other remediation method exists.
Additionally, the Metasploit penetration testing framework was updated on October 6 with a module for exploiting CVE-2023-40044, dramatically lowering the barrier to entry for potential attackers. With Bitcoin trading around $26,862 at the time, the $500 ransom demand suggested the actors were casting a wide net rather than targeting high-value organizations specifically.
Lessons Learned
This incident underscores several critical security principles. First, the speed at which exploitation followed patch release highlights the diminishing window organizations have to apply updates. A third-party researcher released proof-of-concept exploit code just one day after Progress Software issued the patch, on September 28. Progress Software expressed disappointment that the PoC was released so quickly, stating it provided threat actors with a roadmap while many customers were still patching.
Second, the 15-year-old nature of this vulnerability demonstrates how legacy code components can harbor critical flaws for extended periods. Third, the use of leaked LockBit source code illustrates how ransomware tools continue to proliferate even after law enforcement actions against the original operators.
User Action Required
Organizations must audit their infrastructure for WS_FTP Server installations immediately. If upgrading is not feasible in the short term, consider disabling the Ad Hoc Transfer module or restricting web access to the server entirely. Network monitoring should flag any PowerShell execution originating from IIS worker processes, and outbound connections to unrecognized IP addresses from FTP servers should trigger alerts. The convergence of publicly available exploit code, Metasploit integration, and active ransomware campaigns makes this vulnerability an urgent priority for every organization running affected versions.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
ransomware groups weaponizing a patch within days means your patch window is zero. if you cannot update in 48 hours you are exposed
48 hours is generous. most enterprise patch cycles are 30-90 days. ransomware groups know this and exploit the gap ruthlessly
godpotato into ransomware in what, 4 steps? the attack chain was basically a tutorial. anyone running WS_FTP without patching within 48 hours was asking for it
15 years that vulnerability existed. fifteen. progress software should be held accountable for shipping deserialization flaws in enterprise file transfer tools
deserialization bugs are security 101. sitting in enterprise software for 15 years tells you everything about testing practices at these vendors
a single https post for rce on an enterprise product. that should never happen in 2023 let alone persist for 15 years undetected
15 years of a deserialization flaw in enterprise file transfer software. progress software has some serious explaining to do about their security audit process
15 years undetected in production software. think about how many other .NET deserialization bugs are sitting in enterprise stacks right now
godpotato for privilege escalation after initial access is becoming the standard playbook. seen it in three different incident reports this quarter