CVE-2026-42167 Scanner

ProFTPD is a highly configurable FTP server software widely used for transferring files over the network. It is commonly deployed within companies, data centers, and amongst web hosting providers, valued for its extensibility and ease of configuration. The software comes equipped with numerous modules, including mod_sql, which allows the FTP server to use an SQL database as a backend for user authentication and storage. ProFTPD has been adopted for its ability to support a variety of environments and operates on different operating systems. In many organizations, ProFTPD is part of the daily routine for handling bulk and automated file transfers owing to its reliability and open-source nature.

A recently identified vulnerability affecting ProFTPD with mod_sql is a Remote Code Execution (RCE) flaw found in versions before 1.3.10rc1. This flaw stems from unsafe handling of username input linked to SQL backend commands during USER request logging expansions. Attackers can exploit this vulnerability to perform arbitrary code execution on the server, which poses significant risks as it can potentially lead to a full system compromise. The vulnerability does not require authentication, making it relatively easy for an attacker to exploit it over a network. It underscores the criticality of validating and safely handling user input, particularly in applications interfacing with databases.

The technical crux of the flaw lies in the way mod_sql mishandles username buffers when processing USER commands. Specifically, a malicious payload embedded in the username field can manipulate SQL backend logging operations to spawn unauthorized operations in the server environment. The FTP service exposes endpoints on ports commonly used for FTP connections, making it visible to potential attackers scanning for vulnerable instances. The vulnerability is triggered without elevated privileges or user interaction, making it attractive for attackers focusing on massive exploits across networks. This issue showcases the potential dangers inherent in dynamic code evaluation when not securely implemented.

If exploited by malicious parties, this vulnerability can result in complete control over the affected system. This level of access enables attackers to install backdoors, conduct further network reconnaissance, or use compromised systems as launching pads for subsequent attacks. It opens paths to unauthorized data access or modification, disrupting service availability and undermining data integrity. In severe cases, the vulnerability could be used to breach privacy regulations by exposing personal or sensitive organizational information. Organizations relying on this version of ProFTPD risk significant reputational damage and operational disruption if exploited.

REFERENCES

• https://github.com/ZeroPathAI/proftpd-CVE-2026-42167-poc
• https://zeropath.com/blog/proftpd-cve-2026-42167-auth-bypass-privesc-rce