CVE-2006-6564

FileZilla < 0.9.21 - Denial of Service via Malformed STOR Command

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2006-6564. PoCs published by rgod.

AI-analyzed exploit summary This exploit triggers a denial-of-service (DoS) in FileZilla FTP Server 0.9.20/0.9.21 by sending malformed STOR commands with excessive path traversal sequences, causing an access violation. The PoC demonstrates the crash via socket interactions and includes debug output showing the exception.

Description

FileZilla Server before 0.9.22 allows remote attackers to cause a denial of service (crash) via a malformed argument to the STOR command, which results in a NULL pointer dereference. NOTE: CVE analysis suggests that the problem might be due to a malformed PORT command.

Exploits (2)

exploitdb WORKING POC VERIFIED
by rgod · phpdoswindows
https://www.exploit-db.com/exploits/2901

This exploit triggers a denial-of-service (DoS) in FileZilla FTP Server 0.9.20/0.9.21 by sending malformed STOR commands with excessive path traversal sequences, causing an access violation. The PoC demonstrates the crash via socket interactions and includes debug output showing the exception.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: FileZilla FTP Server 0.9.20 beta / 0.9.21
Auth required
Prerequisites: Network access to the FTP server · Valid FTP credentials (or anonymous access if enabled)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
phpdoswindows
https://www.exploit-db.com/exploits/2914

This PHP script exploits a denial-of-service vulnerability in FileZilla FTP Server 0.9.20 beta / 0.9.21 by sending malformed LIST, NLST, or NLST -al commands after authentication. The exploit triggers a crash by sending junk data in PASV, PORT, and LIST commands.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: FileZilla FTP Server 0.9.20 beta / 0.9.21
Auth required
Prerequisites: Network access to the target FTP server · Valid FTP credentials
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/30853
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/4937

Scores

EPSS 0.0733
EPSS Percentile 91.9%

Details

Status published
Products (1)
filezilla/filezilla < 0.9.21
Published Dec 15, 2006
Tracked Since Feb 18, 2026