Register for Zero Trust World 25!
Back to Blogs Back to Press Releases
WS_FTP In The Wild Cybersecurity News
October 4, 2023

CVE-2023-40044: WS_FTP Exploit In the Wild

Table of Contents

What is CVE-2023-40044?

CVE-2023-40044 is a critical vulnerability allowing attackers to perform Remote Code Execution. To take advantage of this vulnerability, an attacker sends a special POST request. Currently, malicious actors are actively leveraging this vulnerability in real-world attacks.

What is vulnerable, and how bad is it?

This CVE only affects the WS_FTP ad hoc module in IIS. The problem is that WS_FTP would generally be on the internet-facing web servers. An attacker only has to make a special POST request to the servers, and it would cause the Remote Code Execution.

Recommendations for Everyone

Please install the latest patch for WS_FTP.

Recommendations for ThreatLocker® Customers

Since the attack spawns from w3wp.exe, this could be stopped through ThreatLocker® Ringfencing™. ThreatLocker® Ringfencing™ can prevent any process, such as w3wp.exe, from interacting with PowerShell or the Windows Command Line. In addition, Ringfencing™ can stop a process from spawning additional processes. The video below shows an example of ThreatLocker® Ringfencing stopping WinRAR from generating a process. Although Ringfencing™ does not fix/patch the vulnerability, it does prevent the most common post-exploitation techniques a hacker would use.

Video Demonstration of ThreatLocker® Ringfencing™

Demonstration Timestamps:

0:00:04 – Open Real Time Unified Audit.

0:00:10 – Clicking on a file inside of a WinRAR ZIP that can exploit CVE-2023-38831.

0:00:12 – The Exploit and trying to spawn an additional process that is hidden inside the ZIP file.

0:00:16 – ThreatLocker® blocking the attempt to generate an additional process through Ringfencing™.

Rayton Li
Craig Stevenson