CVE-2009-4775

Ipswitch WS_FTP Professional 12 - Denial of Service via HTTP Response Status Code Format String

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-4775. PoCs published by Jeremy Brown.

AI-analyzed exploit summary This Perl script is a proof-of-concept exploit for a format string vulnerability in Ipswitch WS_FTP 12 Professional. It sets up a TCP listener on port 80 and sends a malformed HTTP response with a format string payload to trigger the vulnerability.

Description

Format string vulnerability in Ipswitch WS_FTP Professional 12 before 12.2 allows remote attackers to cause a denial of service (crash) via format string specifiers in the status code portion of an HTTP response.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Jeremy Brown · perldoswindows
https://www.exploit-db.com/exploits/9607

This Perl script is a proof-of-concept exploit for a format string vulnerability in Ipswitch WS_FTP 12 Professional. It sets up a TCP listener on port 80 and sends a malformed HTTP response with a format string payload to trigger the vulnerability.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Ipswitch WS_FTP 12 Professional
No auth needed
Prerequisites: Network access to the target system · WS_FTP 12 Professional running and accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

EPSS 0.0561
EPSS Percentile 91.9%

Details

CWE
CWE-134
Status published
Products (2)
ipswitch/ws_ftp 12.0 (2 CPE variants)
ipswitch/ws_ftp 12.0.1 (2 CPE variants)
Published Apr 21, 2010
Tracked Since Feb 18, 2026