CVE-2010-20103

CRITICAL EXPLOITED NUCLEI

ProFTPD 1.3.3c - Unauthenticated Remote Code Execution via Hidden FTP Command

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2010-20103 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including Metasploit, anonymous, MC, darkharper2, including a Metasploit module exploits/unix/ftp/proftpd_133c_backdoor. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit targets a backdoor in ProFTPD 1.3.3c, which was present in the source code archive between November 28th and December 2nd, 2010. It sends a specific command to trigger the backdoor and execute arbitrary commands on the target system.

Description

A malicious backdoor was embedded in the official ProFTPD 1.3.3c source tarball distributed between November 28 and December 2, 2010. The backdoor implements a hidden FTP command trigger that, when invoked, causes the server to execute arbitrary shell commands with root privileges. This allows remote, unauthenticated attackers to run any OS command on the FTP server host.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/16921

This exploit targets a backdoor in ProFTPD 1.3.3c, which was present in the source code archive between November 28th and December 2nd, 2010. It sends a specific command to trigger the backdoor and execute arbitrary commands on the target system.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ProFTPD 1.3.3c
No auth needed
Prerequisites: Network access to the ProFTPD service · Target must be running the backdoored version of ProFTPD 1.3.3c
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by anonymous · textremotelinux
https://www.exploit-db.com/exploits/15662

This is a detailed report and patch analysis of the ProFTPD 1.3.3c backdoor incident from 2010, including the malicious modifications to the source code and the rootkit patch. It provides technical insights into the backdoor mechanism and the compromised distribution process.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ProFTPD 1.3.3c
No auth needed
Prerequisites: Access to a compromised ProFTPD 1.3.3c source distribution
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by MC, darkharper2 · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/proftpd_133c_backdoor.rb

This Metasploit module exploits a backdoor in ProFTPD 1.3.3c by sending a specific command to trigger remote command execution. It checks for the backdoor presence and executes the payload if confirmed.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ProFTPD 1.3.3c
No auth needed
Prerequisites: ProFTPD 1.3.3c with the backdoor present
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

ProFTPd-1.3.3c - Backdoor Command Execution
CRITICALby pussycat0x
Shodan: product:\"ProFTPD\"

References (8)

Core 8

Scores

CVSS v3 9.8
EPSS 0.8508
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2025-08-20
CWE
CWE-912
Status published
Products (2)
proftpd/proftpd 1.3.3 c
ProFTPD Project/ProFTPD (Professional FTP Daemon) 1.3.3c
Published Aug 20, 2025
Tracked Since Feb 18, 2026