Recently, several WS_FTP vulnerabilities have been discovered and many cybersecurity forums have started discussing the issue, as it has become a prime target for ransomware attacks. The most notable organization that attacked the exposed server was revealed to be a specialized cybercrime group known as Reichsadler. The group reportedly launched the attack as soon as the WS_FTP server vulnerability was revealed. Ipswitch, the developer of WS_FTP, published hotfixes and workarounds to remediate the WS_FTP server vulnerability on its official blog on September 23.

WS_FTP (WinSock File Transfer Protocol) is an implementation of FTP (File Transfer Protocol) developed by Ipswitch, a software used for transferring and sharing files over the internet. A WS_FTP server is the easiest way to securely store, share, and transfer information between systems, applications, groups, and individuals. WS_FTP, which consists of an FTP server and an FTP client, is a popular product with over 40 million active users worldwide.

Ransomware Attack Launched Shortly After the WS_FTP Server Vulnerability Was Revealed

Security researchers at Assetnote, who originally discovered the vulnerability, shared the PoC (Proof of Concept) exploit code after the Ipswitch patch was announced. The main cause of the attacks was revealed by analyzing instances where a ransomware attack was attempted and failed to propagate. It reportedly exploited a .NET deserialization vulnerability in the ad hoc transmission module, which allowed unauthenticated attackers to execute commands remotely from a standard operating system via an HTTP request. All versions of the WS_FTP server are affected by this attack, including CVE-2023-40044, which has a critical vulnerability score (CVSS) of 10. 

WS_FTP vulnerability security hotfix announcement released by Ipswitch on September 27

More Than 4,600 WS_FTP Servers Exposed on the Internet 

The following is the result page of a search on a WS_FTP server connected to the internet using the product filter in Criminal IP Asset Search.

Search Query: product: WS_FTP

Using the product filter in Criminal IP Asset Search to find WS_FTP servers

More than 4,600 externally exposed WS_FTP servers have been discovered. This is more than double the numbers reported on BleepingComputer, a cybersecurity forum.

Of course, not all WS_FTP servers that are exposed to the outside world have vulnerabilities, or are susceptible to ransomware attacks. This is because the WS_FTP server is used to transfer and store files between groups or individuals, so there are cases where it is deliberately connected to external sources. However, due to the nature of using an FTP server, confidential personal information or documents are regularly stored on the server. If security settings are not promptly configured, or user IDs and passwords are leaked, a hacker looking to exploit this vulnerability can gain access to the system and attempt a ransomware attack.

Asset Search report of a specific IP address using an outdated version of the WS_FTP server

When you check one of the servers in the search results,  five ports are open. Of these, port 21, on which an FTP server is currently running, is confirmed to be in a vulnerable state. If your WS_FTP servers are vulnerable and are exposed to the outside world, the possibility of an attack is always present.

Furthermore, if you look at the open port information, you can confirm that the WS_FTP version on port 21 is 3.1.3. Currently, the recommended WS_FTP version by Ipswitch is 8.8.4, so it is likely that the server has been left unpatched and exposed for a very long time.

Statistics on Countries Using Exposed WS_FTP Servers

With the Criminal IP Element Analysis feature, you can view the statistics of countries using  exposed WS_FTP servers on the internet with the product: WS_FTP query. It is confirmed that a total of 70 countries are using exposed WS_FTP servers. Among them, the United States has the highest figure with 2,834, followed by Germany with 221, and the United Kingdom with 212.

Statistics of countries using exposed WS_FTP servers detected by Criminal IP

Among the more than 4,000 exposed WS_FTP servers discovered by Criminal IP, the majority had not applied appropriate security patches. Ransomware attacks exploiting this vulnerability continue to this day, and many vulnerabilities for which exploits (other than ransomware) have been published are open to attack by hackers at any time. Therefore, companies and organizations running WS_FTP servers need to apply the recommended security settings and patch the servers to the latest version. The vulnerability patches for CVE-2023-40044 and recommendation for securing vulnerable servers can be found on the official Ipswitch website.

Check out the article on the Oracle WebLogic RCE Vulnerability: CVE-2023-21839 that occurred in 2020.

This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat Intelligence.

Source: Criminal IP (

Related Article(s):