What We Do
How We Do
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Get Started
Security advisories

eSentire Threat Intelligence Advisory: WinSock File Transfer Protocol Vulnerability Exploited

October 6, 2023 | 1 MIN READ

Speak With A Security Expert Now



eSentire has recently observed active exploitation attempts targeting the WinSock File Transfer Protocol (WS_FTP) vulnerability CVE-2023-40044. Observed attacks resulted in the attempted deployment of the Metasploit payload Meterpreter and the adversary simulation tool Cobalt Strike.

CVE-2023-40044 (CVSS: 10) is classified as a WS_FTP .NET Deserialization vulnerability in the Ad Hoc Transfer Module. Exploitation would allow an unauthenticated threat actor to achieve remote command execution on the underlying operating system of the WS_FTP Server. The vulnerability was publicly disclosed along with security patches on September 27th, 2023. eSentire observed exploitation attempts beginning on September 30th.

As exploitation is ongoing, it is critical that organizations apply the relevant security patches immediately.

What we’re doing about it

What you should do about it

Additional information

The disclosure of CVE-2023-40044 was one of seven vulnerabilities announced by Progress Community. While CVE-2023-40044 should be prioritized for immediate patching due to exploitation, organizations should review and prioritize the other vulnerabilities disclosed in this release. The exploitation of CVE-2023-40044 may indicate attacker interest in the platform.

Threat actors exploit CVE-2023-40044 by sending a specially crafted post request to an unpatched WS_FTP server. Proof-of-Concept (PoC) exploit code for CVE-2023-40044 was publicly disclosed on September 29th. The release of PoC code will allow less skilled threat actors to adopt and employ the exploit in real-world attacks. At this point, it is likely that multiple threat actors are actively exploiting the vulnerability in opportunistic attacks for a variety of malicious purposes.

Indicators of Compromise


IP Address


IP Address


IP Address


IP Address


IP Address


IP Address


[1] https://nvd.nist.gov/vuln/detail/CVE-2023-40044
[2] https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023
[3] https://community.progress.com/s/article/Removing-or-Disabling-the-WS-FTP-Server-Ad-hoc-Transfer-Module

View Most Recent Advisories