📄 Description (English)
Progress WS_FTP Server Deserialization of Untrusted Data Vulnerability — Progress WS_FTP Server contains a deserialization of untrusted data vulnerability in the Ad Hoc Transfer module that allows an authenticated attacker to execute remote commands on the underlying operating system.
🤖 AI Executive Summary
CVE-2023-40044 is a critical deserialization vulnerability (CVSS 9.0) in Progress WS_FTP Server's Ad Hoc Transfer module that allows authenticated attackers to execute arbitrary remote commands on the underlying operating system. A public exploit is available, significantly elevating the risk of active exploitation in the wild. The vulnerability requires only authenticated access, meaning any user with valid credentials — including low-privileged accounts — can leverage this flaw to achieve full system compromise. Organizations using WS_FTP Server for managed file transfer operations must treat this as an emergency patching priority.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 16, 2026 20:38
🇸🇦 Saudi Arabia Impact Assessment
WS_FTP Server is widely deployed across Saudi Arabia's enterprise and government sectors for secure managed file transfer (MFT) operations. Banking and financial institutions regulated by SAMA are at high risk, as MFT solutions are commonly used for inter-bank data exchange, regulatory reporting, and SWIFT-adjacent file operations. Government entities under NCA oversight that use WS_FTP for classified or sensitive document transfer face significant data exfiltration risk. Energy sector organizations including Saudi Aramco and SABIC subsidiaries that rely on WS_FTP for operational data exchange between OT/IT environments could face cascading impacts. Healthcare organizations transferring patient records and telecom providers (STC, Mobily, Zain) managing subscriber data are also at elevated risk. Given the availability of a public exploit, threat actors including ransomware groups and nation-state actors known to target Saudi infrastructure (e.g., APT groups linked to regional adversaries) are likely to weaponize this vulnerability rapidly.
🏢 Affected Saudi Sectors
Banking
Government
Energy
Healthcare
Telecom
Financial Services
Defense
Critical Infrastructure
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS (0-24 hours):
1. Identify all instances of Progress WS_FTP Server in your environment using asset inventory and network scanning.
2. Isolate WS_FTP Server instances from the internet and restrict access to trusted IP ranges only via firewall rules.
3. Disable the Ad Hoc Transfer module immediately if it is not operationally required (IIS module can be disabled via IIS Manager).
4. Review authentication logs for anomalous login activity and command execution events on WS_FTP hosts.
PATCHING GUIDANCE:
5. Apply the vendor-supplied patch immediately — upgrade to WS_FTP Server 2020.0.4 (8.7.4) or 2022.0.2 (8.8.2) or later as released by Progress Software.
6. Follow the official Progress advisory at https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability for upgrade instructions.
7. Validate patch integrity using vendor-provided checksums before deployment.
COMPENSATING CONTROLS (if patching is delayed):
8. Disable the Ad Hoc Transfer IIS application entirely.
9. Implement Web Application Firewall (WAF) rules to block deserialization attack patterns targeting WS_FTP endpoints.
10. Enforce multi-factor authentication (MFA) on all WS_FTP accounts to raise the bar for authenticated exploitation.
11. Restrict WS_FTP Server to internal network segments only — remove any public-facing exposure.
DETECTION RULES:
12. Monitor for suspicious child processes spawned by WS_FTP Server processes (e.g., cmd.exe, powershell.exe, wscript.exe).
13. Deploy YARA/Sigma rules targeting .NET deserialization gadget chains in HTTP POST requests to WS_FTP Ad Hoc Transfer endpoints.
14. Alert on outbound connections from WS_FTP Server hosts to unknown external IPs.
15. Enable Windows Event Log auditing (Event IDs 4688, 4104) on WS_FTP hosts for process creation and PowerShell execution.
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية (خلال 0-24 ساعة):
1. تحديد جميع نسخ Progress WS_FTP Server في بيئتك باستخدام جرد الأصول وفحص الشبكة.
2. عزل خوادم WS_FTP عن الإنترنت وتقييد الوصول إلى نطاقات IP موثوقة فقط عبر قواعد جدار الحماية.
3. تعطيل وحدة Ad Hoc Transfer فوراً إذا لم تكن مطلوبة تشغيلياً (يمكن تعطيل وحدة IIS عبر IIS Manager).
4. مراجعة سجلات المصادقة للكشف عن نشاط تسجيل دخول غير طبيعي وأحداث تنفيذ الأوامر على مضيفي WS_FTP.
إرشادات التصحيح:
5. تطبيق التصحيح المقدم من المورد فوراً — الترقية إلى WS_FTP Server 2020.0.4 (8.7.4) أو 2022.0.2 (8.8.2) أو إصدار أحدث.
6. اتباع الإرشاد الرسمي من Progress Software للحصول على تعليمات الترقية التفصيلية.
7. التحقق من سلامة التصحيح باستخدام المجاميع الاختبارية المقدمة من المورد قبل النشر.
ضوابط التعويض (في حال تأخر التصحيح):
8. تعطيل تطبيق IIS الخاص بـ Ad Hoc Transfer بالكامل.
9. تطبيق قواعد جدار حماية تطبيقات الويب (WAF) لحجب أنماط هجمات إلغاء التسلسل التي تستهدف نقاط نهاية WS_FTP.
10. فرض المصادقة متعددة العوامل (MFA) على جميع حسابات WS_FTP لرفع عتبة الاستغلال المصادق.
11. تقييد خادم WS_FTP على شرائح الشبكة الداخلية فقط وإزالة أي تعرض للشبكات العامة.
قواعد الكشف:
12. مراقبة العمليات الفرعية المشبوهة التي تنشئها عمليات WS_FTP Server (مثل cmd.exe وpowershell.exe).
13. نشر قواعد YARA/Sigma لاستهداف سلاسل أدوات إلغاء تسلسل .NET في طلبات HTTP POST إلى نقاط نهاية Ad Hoc Transfer.
14. التنبيه على الاتصالات الصادرة من مضيفي WS_FTP Server إلى عناوين IP خارجية غير معروفة.
15. تفعيل تدقيق سجل أحداث Windows (معرفات الأحداث 4688 و4104) على مضيفي WS_FTP لمراقبة إنشاء العمليات وتنفيذ PowerShell.
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC-1-4-2: Cybersecurity Vulnerability Management — patch critical vulnerabilities within defined SLAs
ECC-1-3-2: Cybersecurity Event Logging and Monitoring — detect anomalous process execution
ECC-2-2-1: Network Security — restrict unnecessary exposure of file transfer services
ECC-2-3-1: Secure Configuration — disable unused modules and services
ECC-1-5-1: Cybersecurity Incident Management — activate IR procedures for active exploitation
🔵 SAMA CSF
3.3.6 Vulnerability Management — critical patch deployment within emergency timelines
3.3.5 Patch Management — vendor patch assessment and deployment
3.3.2 Network Security Management — network segmentation of MFT infrastructure
3.3.9 Penetration Testing — validate remediation effectiveness
3.4.1 Cybersecurity Incident Management — escalate to CISO and activate IR plan
🟡 ISO 27001:2022
A.8.8 Management of Technical Vulnerabilities — timely patching of critical systems
A.8.20 Networks Security — network controls to limit exposure
A.8.15 Logging — monitor for exploitation indicators
A.8.25 Secure Development Life Cycle — validate third-party software security
A.5.26 Response to Information Security Incidents — incident response activation
🟣 PCI DSS v4.0
Requirement 6.3.3 — All system components protected from known vulnerabilities by installing applicable security patches
Requirement 10.4 — Audit logs reviewed to identify anomalies
Requirement 1.3 — Network access controls restricting inbound and outbound traffic
Requirement 12.10 — Incident response plan activated upon detection of exploitation
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Progress:WS_FTP Server