Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable FTP service with low complexity but requires a valid low-privilege account (PR:L); enables reading and renaming protected files (C:H/I:H), no availability impact, no scope change.
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit the unresolved symlink components in dir_canonical_path() to cause dir_check() to perform lexical path comparisons that match no configured Directory block, enabling rename operations on files in DenyAll-protected directories and subsequent retrieval of those files. Mitigation: Sessions configured with DefaultRoot (chroot) are not affected, as chroot changes the directory to which /proc/self/root resolves.
AnalysisAI
Directory ACL bypass in ProFTPD (through 1.3.9b and 1.3.10rc2) lets authenticated FTP users reach files inside DenyAll-protected directories by prefixing paths with /proc/self/root in the RNFR (rename-from) command. Because the CVSS 4.0 vector specifies PR:L, exploitation requires a valid low-privilege FTP account, after which an attacker can rename and then retrieve files that configured Directory ACLs were meant to protect. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated low-privilege FTP account (CVSS PR:L) on a ProFTPD instance that is NOT using DefaultRoot/chroot, and the target files must reside in directories governed by <Directory> ACLs (e.g., DenyAll) that the attacker is otherwise denied. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are moderately concordant and point to a real but bounded risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds or obtains a low-privilege FTP account logs into a non-chrooted ProFTPD server, then issues RNFR with a path such as /proc/self/root/etc/secret/data to rename a file living in a DenyAll-protected <Directory>, followed by RNTO into a location they can read, and finally retrieves it. Because attack complexity is low and no user interaction is needed, the sequence can be scripted once valid credentials are available; no public POC is identified at time of analysis. |
| Remediation | No vendor-released patch version is identified at time of analysis - the upstream item is GitHub issue https://github.com/proftpd/proftpd/issues/2170, not a tagged release - so monitor that issue, the ProFTPD project (http://www.proftpd.org/), and the VulnCheck advisory (https://www.vulncheck.com/advisories/proftpd-acl-bypass-via-proc-self-root-path-prefix-in-rnfr) for a fixed build and upgrade once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all ProFTPD instances running versions through 1.3.9b or 1.3.10rc2; assess service criticality and user access patterns. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and informatio
mod_sql in ProFTPD before 1.3.10rc1 allows remote attackers to execute arbitrary code via a username, in scenarios where
make_ftp_cmd in main.c in ProFTPD before 1.3.8a has a one-byte out-of-bounds read, and daemon crash, because of mishandl
ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote unauthenticated denial-of-service due to incorrect handl
Integer overflow in kbdint.c in mod_sftp in ProFTPD 1.3.4d and 1.3.5r3 allows remote attackers to cause a denial of serv
In ProFTPD 1.3.7, it is possible to corrupt the memory pool by interrupting the data transfer channel. Rated high severi
The mod_tls module in ProFTPD before 1.3.5b and 1.3.6 before 1.3.6rc2 does not properly handle the TLSDHParamFile direct
ProFTPD 1.3.7 has an out-of-bounds (OOB) read vulnerability in mod_cap via the cap_text.c cap_to_text function. Rated hi
An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. Rated high severity (CVSS 7.5), this vulnerability is
An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. Rated high severity (CVSS 7.5), this vulnerability is
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Important| Product | Status |
|---|---|
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP6 | Affected |
| SUSE Linux Enterprise Server 15 SP6 | Affected |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Affected |
| openSUSE Leap 15.6 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38789
GHSA-9vr4-2f43-pc8v