Skip to main content

ProFTPD CVE-2026-35025

| EUVDEUVD-2026-38789 HIGH
Improper Link Resolution Before File Access (CWE-59)
2026-06-24 VulnCheck GHSA-9vr4-2f43-pc8v
8.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable FTP service with low complexity but requires a valid low-privilege account (PR:L); enables reading and renaming protected files (C:H/I:H), no availability impact, no scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 24, 2026 - 14:21 vuln.today

DescriptionCVE.org

ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit the unresolved symlink components in dir_canonical_path() to cause dir_check() to perform lexical path comparisons that match no configured Directory block, enabling rename operations on files in DenyAll-protected directories and subsequent retrieval of those files. Mitigation: Sessions configured with DefaultRoot (chroot) are not affected, as chroot changes the directory to which /proc/self/root resolves.

AnalysisAI

Directory ACL bypass in ProFTPD (through 1.3.9b and 1.3.10rc2) lets authenticated FTP users reach files inside DenyAll-protected directories by prefixing paths with /proc/self/root in the RNFR (rename-from) command. Because the CVSS 4.0 vector specifies PR:L, exploitation requires a valid low-privilege FTP account, after which an attacker can rename and then retrieve files that configured Directory ACLs were meant to protect. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege FTP account
Delivery
Send RNFR with /proc/self/root path prefix
Exploit
Bypass Directory ACL via unresolved symlink in dir_check()
Execution
Rename protected file to accessible path
Impact
Retrieve DenyAll-protected file contents

Vulnerability AssessmentAI

Exploitation Requires an authenticated low-privilege FTP account (CVSS PR:L) on a ProFTPD instance that is NOT using DefaultRoot/chroot, and the target files must reside in directories governed by <Directory> ACLs (e.g., DenyAll) that the attacker is otherwise denied. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderately concordant and point to a real but bounded risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds or obtains a low-privilege FTP account logs into a non-chrooted ProFTPD server, then issues RNFR with a path such as /proc/self/root/etc/secret/data to rename a file living in a DenyAll-protected <Directory>, followed by RNTO into a location they can read, and finally retrieves it. Because attack complexity is low and no user interaction is needed, the sequence can be scripted once valid credentials are available; no public POC is identified at time of analysis.
Remediation No vendor-released patch version is identified at time of analysis - the upstream item is GitHub issue https://github.com/proftpd/proftpd/issues/2170, not a tagged release - so monitor that issue, the ProFTPD project (http://www.proftpd.org/), and the VulnCheck advisory (https://www.vulncheck.com/advisories/proftpd-acl-bypass-via-proc-self-root-path-prefix-in-rnfr) for a fixed build and upgrade once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all ProFTPD instances running versions through 1.3.9b or 1.3.10rc2; assess service criticality and user access patterns. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2015-3306 CRITICAL POC
10.0 May 18

The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

CVE-2019-12815 CRITICAL POC
9.8 Jul 19

An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and informatio

CVE-2026-42167 HIGH POC
8.1 Apr 28

mod_sql in ProFTPD before 1.3.10rc1 allows remote attackers to execute arbitrary code via a username, in scenarios where

CVE-2023-51713 HIGH POC
7.5 Dec 22

make_ftp_cmd in main.c in ProFTPD before 1.3.8a has a one-byte out-of-bounds read, and daemon crash, because of mishandl

CVE-2019-18217 HIGH POC
7.5 Oct 21

ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote unauthenticated denial-of-service due to incorrect handl

CVE-2013-4359 MEDIUM POC
5.0 Sep 30

Integer overflow in kbdint.c in mod_sftp in ProFTPD 1.3.4d and 1.3.5r3 allows remote attackers to cause a denial of serv

CVE-2020-9273 HIGH
8.8 Feb 20

In ProFTPD 1.3.7, it is possible to corrupt the memory pool by interrupting the data transfer channel. Rated high severi

CVE-2016-3125 HIGH
7.5 Apr 05

The mod_tls module in ProFTPD before 1.3.5b and 1.3.6 before 1.3.6rc2 does not properly handle the TLSDHParamFile direct

CVE-2020-9272 HIGH
7.5 Feb 20

ProFTPD 1.3.7 has an out-of-bounds (OOB) read vulnerability in mod_cap via the cap_text.c cap_to_text function. Rated hi

CVE-2019-19272 HIGH
7.5 Nov 26

An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. Rated high severity (CVSS 7.5), this vulnerability is

CVE-2019-19271 HIGH
7.5 Nov 26

An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. Rated high severity (CVSS 7.5), this vulnerability is

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Server Applications 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Affected
SUSE Linux Enterprise Module for Server Applications 15 SP6 Affected

Share

CVE-2026-35025 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy