{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/ws_ftp-server/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WS_FTP Server"],"_cs_severities":["critical"],"_cs_tags":["ws_ftp","rce","cve-2023-40044","webserver"],"_cs_type":"advisory","_cs_vendors":["Progress"],"content_html":"\u003cp\u003eCVE-2023-40044 is a remote code execution vulnerability affecting WS_FTP Server. The vulnerability stems from insufficient validation of user-supplied input, allowing attackers to execute arbitrary code on the server. Exploit attempts typically involve sending a specially crafted HTTP POST request to the \u003ccode\u003e/AHT/AhtApiService.asmx/AuthUser\u003c/code\u003e endpoint. Publicly available Metasploit modules and Nuclei templates exist to exploit this vulnerability. Successful exploitation can lead to complete system compromise, including data exfiltration, installation of backdoors, and lateral movement within the network. Defenders should prioritize patching vulnerable WS_FTP servers and implementing detection mechanisms to identify and block exploitation attempts. The Metasploit module is focused on hitting the /AHT/ endpoint, not the full /AHT/AhtApiService.asmx/AuthUser URL, which can be used for tuning detection rules.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable WS_FTP server exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/AHT/AhtApiService.asmx/AuthUser\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request contains a payload designed to exploit CVE-2023-40044 and execute arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe vulnerable WS_FTP server processes the malicious POST request without proper validation.\u003c/li\u003e\n\u003cli\u003eThe attacker's payload is executed, allowing the attacker to gain a shell on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the shell to perform reconnaissance, identify sensitive data, and escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker installs a backdoor for persistent access.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2023-40044 can lead to complete compromise of the WS_FTP server. This can result in data breaches, financial loss, reputational damage, and disruption of services. The number of victims and sectors targeted is currently unknown, but given the widespread use of WS_FTP Server, the potential impact is significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest patch for WS_FTP Server to address CVE-2023-40044 immediately.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect WS_FTP CVE-2023-40044 Exploitation Attempt\u003c/code\u003e to your SIEM to identify malicious HTTP POST requests targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for POST requests to \u003ccode\u003e/AHT/AhtApiService.asmx/AuthUser\u003c/code\u003e with a 200 status code originating from untrusted sources.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious outbound connections originating from WS_FTP servers.\u003c/li\u003e\n\u003cli\u003eReview and harden the configuration of your WS_FTP server, following security best practices.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to block known CVE-2023-40044 exploitation patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-wsftp-rce/","summary":"Exploitation attempts targeting CVE-2023-40044 in WS_FTP software can lead to remote code execution via crafted HTTP POST requests, potentially allowing attackers to gain unauthorized access and compromise the affected system.","title":"WS_FTP Remote Code Execution Vulnerability (CVE-2023-40044)","url":"https://feed.craftedsignal.io/briefs/2024-01-wsftp-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - WS_FTP Server","version":"https://jsonfeed.org/version/1.1"}