CVE-2006-6565

NUCLEI

FileZilla Server < 0.9.22 - Denial of Service via Wildcard LIST/NLST Command

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2006-6565. PoCs published by shinnai, aushack, including Metasploit module auxiliary/dos/windows/ftp/filezilla_server_port. A Nuclei detection template is also available.

AI-analyzed exploit summary This PHP script exploits a denial-of-service vulnerability in FileZilla FTP Server versions 0.9.20 beta and 0.9.21 by sending malformed LIST, NLST, or NLST -al commands. It establishes an FTP connection, authenticates, and sends crafted input to trigger the DoS condition.

Description

FileZilla Server before 0.9.22 allows remote attackers to cause a denial of service (crash) via a wildcard argument to the (1) LIST or (2) NLST commands, which results in a NULL pointer dereference, a different set of vectors than CVE-2006-6564. NOTE: CVE analysis suggests that the problem might be due to a malformed PORT command.

Exploits (2)

exploitdb WORKING POC VERIFIED
by shinnai · phpdoswindows
https://www.exploit-db.com/exploits/2914

This PHP script exploits a denial-of-service vulnerability in FileZilla FTP Server versions 0.9.20 beta and 0.9.21 by sending malformed LIST, NLST, or NLST -al commands. It establishes an FTP connection, authenticates, and sends crafted input to trigger the DoS condition.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: FileZilla FTP Server 0.9.20 beta / 0.9.21
Auth required
Prerequisites: Network access to the target FTP server · Valid FTP credentials (username/password)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by aushack · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/filezilla_server_port.rb

This Metasploit module exploits a denial-of-service vulnerability in FileZilla FTP Server by sending a malformed PORT command followed by a LIST command, causing the server to attempt writing to a NULL pointer and crash.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: FileZilla FTP Server versions 0.9.21 and earlier
No auth needed
Prerequisites: Network access to the FileZilla FTP Server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

FileZilla Server < 0.9.22 - DoS via Wildcard Commands
MEDIUMVERIFIEDby pussycat0x
Shodan: product:"FileZilla"

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/30853
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/2914
Product, Third Party Advisory x_refsource_confirm
http://sourceforge.net/project/shownotes.php?release_id=470364&group_id=21558
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/4937

Scores

EPSS 0.7154
EPSS Percentile 98.8%

Details

CWE
CWE-476
Status published
Products (1)
filezilla-project/filezilla_server < 0.9.22
Published Dec 15, 2006
Tracked Since Feb 18, 2026