CVE-2000-0573

HP-UX - Remote Code Execution via wu-ftpd SITE EXEC Format String

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 8 public exploits for CVE-2000-0573. PoCs published by Metasploit, qitest1, justme, including Metasploit module exploits/multi/ftp/wuftpd_site_exec_format.

AI-analyzed exploit summary This Metasploit module exploits a format string vulnerability in wu-ftpd versions older than 2.6.1 via SITE EXEC/INDEX commands, allowing arbitrary code execution. It includes automatic targeting and payload delivery mechanisms.

Description

The lreply function in wu-ftpd 2.6.0 and earlier does not properly cleanse an untrusted format string, which allows remote attackers to execute arbitrary commands via the SITE EXEC command.

Exploits (8)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/16311

This Metasploit module exploits a format string vulnerability in wu-ftpd versions older than 2.6.1 via SITE EXEC/INDEX commands, allowing arbitrary code execution. It includes automatic targeting and payload delivery mechanisms.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: wu-ftpd < 2.6.1
Auth required
Prerequisites: FTP server access · Valid credentials · Vulnerable wu-ftpd version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by qitest1 · cremotelinux_x86
https://www.exploit-db.com/exploits/269

This exploit targets a format string vulnerability in BeroFTPD 1.3.4(1) derived from wuftpd, allowing remote code execution via the SITE EXEC command. It uses a combination of shellcode and format string manipulation to achieve arbitrary code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: BeroFTPD 1.3.4(1)
Auth required
Prerequisites: Network access to the vulnerable FTP server · Valid credentials for authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by justme · textremotelinux_x86
https://www.exploit-db.com/exploits/20032

The writeup describes a format string vulnerability in Washington University ftp daemon (wu-ftpd) affecting the SITE EXEC and SITE INDEX commands. The vulnerability allows remote attackers to execute arbitrary commands as root due to improper input validation.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: wu-ftpd (versions affected by CVE-2000-0573)
No auth needed
Prerequisites: Network access to the vulnerable FTP server · wu-ftpd with SITE EXEC or SITE INDEX enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by kalou · cremotesolaris
https://www.exploit-db.com/exploits/239

This exploit targets a format string vulnerability in wu-ftpd (CVE-2000-0573) to achieve remote code execution. It constructs a malicious format string to overwrite memory addresses and includes SPARC shellcode for privilege escalation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: wu-ftpd (Solaris 2.8)
No auth needed
Prerequisites: Network access to vulnerable wu-ftpd service · Target architecture must be SPARC
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by venglin · cremotemultiple
https://www.exploit-db.com/exploits/201

This exploit targets a format string vulnerability in WU-FTPD 2.6.0, allowing remote code execution via the SITE EXEC command. It includes shellcode for both Linux and FreeBSD to spawn a shell, bypassing chroot restrictions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: WU-FTPD 2.6.0
Auth required
Prerequisites: Network access to vulnerable WU-FTPD server · Valid credentials for authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by vsz_ · cremotelinux
https://www.exploit-db.com/exploits/20031

This exploit targets a format string vulnerability in the SITE EXEC command of wu-ftpd 2.6.0(1), allowing remote code execution as root. It leverages shellcode injection and precise memory manipulation to overwrite return addresses and execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: wu-ftpd 2.6.0(1)
No auth needed
Prerequisites: Network access to the target FTP server · Anonymous FTP access enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by tf8 · cremoteunix
https://www.exploit-db.com/exploits/20030

This exploit targets a format string vulnerability in the SITE EXEC command of wu-ftpd 2.6.0, allowing remote code execution as root. It includes shellcode for various Linux and FreeBSD systems, leveraging the vulnerability to overwrite stack data and redirect execution flow.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: wu-ftpd 2.6.0
No auth needed
Prerequisites: Network access to the target FTP server · wu-ftpd 2.6.0 running on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
by jduck · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/ftp/wuftpd_site_exec_format.rb

This Metasploit module exploits a format string vulnerability in WU-FTPD versions older than 2.6.1 via SITE EXEC or SITE INDEX commands, allowing arbitrary code execution. It includes automatic targeting and payload delivery mechanisms.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: WU-FTPD < 2.6.1
Auth required
Prerequisites: Network access to FTP service · Valid FTP credentials
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (14)

Core 14
Core References
Patch, Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.cert.org/advisories/CA-2000-13.html
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=96299933720862&w=2
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2000-039.html
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=96171893218000&w=2
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-07/0017.html
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0244.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/1387
Vendor Advisory third-party-advisory x_refsource_auscert
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.02
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=96179429114160&w=2
Vendor Advisory vendor-advisory x_refsource_netbsd
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2000-009.txt.asc
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/4773
Vendor Advisory vendor-advisory x_refsource_caldera
http://www.calderasystems.com/support/security/advisories/CSSA-2000-020.0.txt

Scores

EPSS 0.9629
EPSS Percentile 99.9%

Details

Status published
Products (1)
hp/hp-ux 11.00
Published Jul 07, 2000
Tracked Since Feb 18, 2026