THE article discusses an active security exploit identified as CVE-2026-35025, which is a vulnerability in ProFTPD (version ≤ 1.3.9b and ≤ 1.3.10rc2). This flaw allows logged-in users to bypass access controls, specifically through the RNFR command, enabling access to protected directories via a manipulated path prefix. The vulnerability has a CVSS score of 8.6, indicating high severity, but no actual exploitation or confirmed proof-of-concept has been reported yet.
Currently, there is no patch available, but a workaround involves implementing chroot for user sessions. The importance of this vulnerability is underscored due to ProFTPD's widespread use on Unix/Linux servers, raising risks regarding confidentiality and integrity of data.