ZeroPath security researchers have published details of CVE-2026-42167, an authentication bypass vulnerability in ProFTPD that under specific conditions allows an unauthenticated remote attacker to progress to arbitrary code execution on the server. ProFTPD is one of the most widely deployed FTP server implementations on Linux and Unix systems, used by hosting providers, file transfer infrastructure, legacy enterprise systems, and embedded storage appliances.
Vulnerability Details
The vulnerability affects ProFTPD’s authentication state machine in the interaction between the PASS command handler and a specific sequence of commands that can cause the server to advance a connection’s authentication state without a valid password being supplied. ZeroPath’s research describes the root cause as an incorrect state transition that can be triggered by a crafted sequence of FTP protocol messages sent before authentication completes.
When authentication state is incorrectly advanced, the attacker gains access to post-authentication ProFTPD commands, including file system operations and — depending on the ProFTPD module configuration — commands that can be abused for code execution. The path to code execution depends on the specific ProFTPD module configuration:
- In configurations with
mod_execormod_exec_on_cmdenabled, arbitrary system commands can be executed - In configurations with world-writable file upload directories accessible to system paths, uploaded files can be leveraged for execution via subsequent service interactions
Without code execution: The authentication bypass alone enables unauthenticated file system access — listing directories, downloading files, and potentially uploading files to writable directories. In a file transfer server context, this means exfiltration of any data the FTP server exposes.
Affected Versions
ProFTPD versions prior to 1.3.9a are affected. The fix is included in ProFTPD 1.3.9a and 1.3.8d (the current stable and maintenance branches).
Check your installed version:
proftpd --versionUpdate via your distribution package manager or from the ProFTPD project:
# Debian/Ubuntu
apt update && apt install proftpd-basic
# RHEL/CentOS (EPEL)
dnf update proftpdWhy FTP Servers Accumulate Patch Debt
FTP servers are a category of infrastructure that frequently falls out of regular patch management cycles. The reasons are familiar:
“No one uses FTP anymore” — an assumption that is true for newly built systems but false for legacy infrastructure. File transfer workflows built around FTP in the 2000s and 2010s often persist in manufacturing, logistics, and healthcare environments where changing the transfer protocol requires coordination with dozens of upstream and downstream partners.
Embedded systems: ProFTPD is included in the firmware of numerous NAS devices, storage appliances, and embedded Linux systems. These devices receive firmware updates infrequently if at all, and the ProFTPD installation within them is rarely managed separately.
Overlooked in asset inventories: FTP services running on non-standard ports or inside internal network segments often do not appear in vulnerability scan results, leaving them outside the scope of patch management programmes.
Organisations should run an internal scan for ProFTPD instances (listening on TCP/21 or alternative FTP ports) and identify any instances running pre-1.3.9a versions. Given the authentication bypass nature of the vulnerability, internet-accessible ProFTPD instances should be treated as immediate remediation priority.
Share this article