Creative Commons license
Executive Team Note: Our coordinated disclosure policy works on a 90 day timeline where we will disclose via our website 90 days after we report to a vendor. If a patch is released prior to that time our general policy is to allow 30 days before disclosure to allow for patch uptake. However, if an exploit or PoC is publicly released independently within that timeline we will publish. In this case, there was an independent researcher on Twitter/X that publicly disclosed a PoC after the patch was released so we published our research to provide more context around the vulnerability.


An attacker can exploit this vulnerability without authentication, to execute arbitrary commands on the Progress WS_FTP server through the deserialization of untrusted data. An attacker must be able to access the WS_FTP web server and the Ad Hoc Transfer application in order to exploit this issue.


An attacker can execute arbitrary commands on the server running WS_FTP, without any authentication.

Affected Software

WS_FTP Server versions prior to 8.7.4 and 8.8.2

Product Description

WinSock File Transfer Protocol, or WS_FTP, is a secure file transfer software package produced by Ipswitch, Inc. Ipswitch is a Massachusetts-based software producer established in 1991 that focuses on networking and file sharing.


Upgrade to WS_FTP Server 2020.0.4 (8.7.4) or WS_FTP Server 2022.0.2 (8.8.2).

Blog Post

The blog post for this issue can be found here.


Shubham Shah - Assetnote Security Research Team

Sean Yeoh - Assetnote Engineering Lead

Written by:
Shubham Shah
Sean Yeoh
Your subscription could not be saved. Please try again.
Your subscription has been successful.

Get updates on our research

Subscribe to our newsletter and stay updated on the newest research, security advisories, and more!

Ready to get started?

Get on a call with our team and learn how Assetnote can change the way you secure your attack surface. We'll set you up with a trial instance so you can see the impact for yourself.