📄 Description (English)
BlackMoon FTP Server 3.1.2.1731 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to insert malicious code that would execute with LocalSystem account permissions during service startup.
🤖 AI Executive Summary
CVE-2019-25306 is a privilege escalation vulnerability in BlackMoon FTP Server 3.1.2.1731 exploiting unquoted service paths, allowing local attackers to execute arbitrary code with SYSTEM privileges. While no public exploit exists, the vulnerability poses significant risk to organizations using this FTP server for file transfer operations. Immediate patching is critical as the attack requires only local access and results in complete system compromise.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 27, 2026 10:33
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi organizations using BlackMoon FTP Server for internal file transfer operations, particularly in: Banking sector (SAMA-regulated institutions) for secure document exchange, Government agencies (NCA oversight) managing classified communications, Healthcare facilities (MOH) handling patient records, Energy sector (ARAMCO, SEC) for operational data transfer, and Telecom companies (STC, Mobily) for network management. The privilege escalation to SYSTEM level enables attackers to compromise entire server infrastructure, access sensitive data, and establish persistent backdoors.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare
Energy and Utilities
Telecommunications
Defense and Security
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all systems running BlackMoon FTP Server 3.1.2.1731 or earlier versions across your infrastructure
2. Restrict local access to FTP servers through network segmentation and access controls
3. Implement application whitelisting to prevent unauthorized code execution
4. Monitor service startup logs for suspicious process creation
PATCHING:
1. Upgrade BlackMoon FTP Server to version 3.1.2.1732 or later immediately
2. Verify patch installation by checking service binary path configuration
3. Test patched systems in non-production environment before production deployment
COMPENSATING CONTROLS (if immediate patching not possible):
1. Disable BlackMoon FTP service if not actively required
2. Run FTP service under non-SYSTEM account with minimal privileges
3. Implement file integrity monitoring on FTP service binaries
4. Use Windows AppLocker to restrict service execution paths
DETECTION:
1. Monitor Windows Event Viewer for Service Control Manager (Event ID 7045) for new service creation
2. Alert on any process execution from FTP service directory with elevated privileges
3. Track modifications to service registry keys (HKLM\SYSTEM\CurrentControlSet\Services)
4. Implement EDR rules detecting unquoted path exploitation patterns
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تقوم بتشغيل BlackMoon FTP Server الإصدار 3.1.2.1731 أو الإصدارات الأقدم
2. تقييد الوصول المحلي إلى خوادم FTP من خلال تقسيم الشبكة والتحكم في الوصول
3. تطبيق قائمة التطبيقات المسموحة لمنع تنفيذ الأكواد غير المصرح بها
4. مراقبة سجلات بدء الخدمة للكشف عن إنشاء العمليات المريبة
التصحيح:
1. ترقية BlackMoon FTP Server إلى الإصدار 3.1.2.1732 أو أحدث فوراً
2. التحقق من تثبيت التصحيح بفحص تكوين مسار ملف الخدمة
3. اختبار الأنظمة المصححة في بيئة غير الإنتاج قبل نشرها في الإنتاج
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تعطيل خدمة BlackMoon FTP إذا لم تكن مطلوبة بنشاط
2. تشغيل خدمة FTP تحت حساب غير SYSTEM بامتيازات محدودة
3. تطبيق مراقبة سلامة الملفات على ملفات خدمة FTP
4. استخدام Windows AppLocker لتقييد مسارات تنفيذ الخدمة
الكشف:
1. مراقبة Windows Event Viewer لمدير التحكم في الخدمة (معرف الحدث 7045) لإنشاء خدمة جديدة
2. تنبيهات على أي تنفيذ عملية من دليل خدمة FTP بامتيازات مرتفعة
3. تتبع التعديلات على مفاتيح سجل الخدمة (HKLM\SYSTEM\CurrentControlSet\Services)
4. تطبيق قواعد EDR للكشف عن أنماط استغلال المسارات غير المقتبسة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.6.1.1 - Access control policy
A.6.2.1 - User registration and access rights management
A.8.1.1 - Asset inventory and ownership
A.12.2.1 - Restrictions on software installation
A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
ID.AM-2 - Software platforms and applications are inventoried
PR.AC-1 - Identities and credentials are issued and managed
PR.PT-2 - Removable media is protected and its use restricted
DE.CM-8 - Vulnerability scans are performed
RS.MI-2 - Incidents are mitigated
🟡 ISO 27001:2022
A.5.1 - Management direction for information security
A.6.1 - Internal organization
A.8.1 - Asset management
A.12.2 - Restrictions on software installation
A.12.6 - Management of technical vulnerabilities and exposures
A.14.2 - Security requirements analysis and specification
🟣 PCI DSS v4.0.1
Requirement 2.2 - Configuration standards for system components
Requirement 6.2 - Security patches and updates
Requirement 11.2 - Vulnerability scanning
🔗 References & Sources 3