securityonline.info 7/1/2026, 1:31:07 AM · external

ProFTPD flaw CVE-2026-35025 lets users bypass directory limits

ProFTPD flaw CVE-2026-35025 lets users bypass directory limits
CyberSIXT Evidence Panel
Primary Source github.com
CISA KEV Not in KEV
Patch Patch Status Unknown

THE article discusses an active security exploit identified as CVE-2026-35025, which is a vulnerability in ProFTPD (version ≤ 1.3.9b and ≤ 1.3.10rc2). This flaw allows logged-in users to bypass access controls, specifically through the RNFR command, enabling access to protected directories via a manipulated path prefix. The vulnerability has a CVSS score of 8.6, indicating high severity, but no actual exploitation or confirmed proof-of-concept has been reported yet.

Currently, there is no patch available, but a workaround involves implementing chroot for user sessions. The importance of this vulnerability is underscored due to ProFTPD's widespread use on Unix/Linux servers, raising risks regarding confidentiality and integrity of data.

View Primary Source Via securityonline.info

Article by CyberSIXT