CRITICAL🇵🇱 Wersja polska

CVE-2010-20103

CVSS 9.3v4.0pub. 2025-08-20upd. 2025-09-24

A malicious backdoor was embedded in the official ProFTPD 1.3.3c source tarball distributed between November 28 and December 2, 2010. The backdoor implements a hidden FTP command trigger that, when invoked, causes the server to execute arbitrary shell commands with root privileges. This allows remote, unauthenticated attackers to run any OS command on the FTP server host.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Proftpd

    APP
    Proftpd
    1.3.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2019-12815CRITICAL9.8ten sam produkt

An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and ...

CVE-2026-35025HIGH8.6ten sam produkt

ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated...

CVE-2023-51713HIGH7.5ten sam produkt

make_ftp_cmd in main.c in ProFTPD before 1.3.8a has a one-byte out-of-bounds read, and daemon crash, because o...

CVE-2021-46854HIGH7.5ten sam produkt

mod_radius in ProFTPD before 1.3.7c allows memory disclosure to RADIUS servers because it copies blocks of 16 ...

CVE-2020-9273HIGH8.8ten sam produkt

In ProFTPD 1.3.7, it is possible to corrupt the memory pool by interrupting the data transfer channel. This tr...