CVE-2010-20121

CRITICAL

EasyFTP Server <= 1.7.0.11 - Unauthenticated Stack-based Buffer Overflow via CWD Command

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2010-20121. PoCs published by fdiskyou, Metasploit, Paul Makowski, including Metasploit module exploits/windows/ftp/easyftp_cwd_fixret.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in Easy FTP Server v1.7.0.11 via the CWD command post-authentication. It delivers a shellcode payload to execute calc.exe, leveraging a known return address in user32.dll.

Description

EasyFTP Server versions up to 1.7.0.11 contain a stack-based buffer overflow vulnerability in the FTP command parser. When processing the CWD (Change Working Directory) command, the server fails to properly validate the length of the input string, allowing attackers to overwrite memory on the stack. This flaw enables remote code execution without authentication, as EasyFTP allows anonymous access by default. The vulnerability was resolved in version 1.7.0.12, after which the product was renamed “UplusFtp.”

Exploits (5)

exploitdb WORKING POC VERIFIED
by fdiskyou · pythonremotewindows
https://www.exploit-db.com/exploits/14402

This exploit targets a buffer overflow vulnerability in Easy FTP Server v1.7.0.11 via the CWD command post-authentication. It delivers a shellcode payload to execute calc.exe, leveraging a known return address in user32.dll.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Easy FTP Server v1.7.0.11
Auth required
Prerequisites: Network access to target FTP server · Anonymous or valid credentials for authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16737

This exploit targets a stack-based buffer overflow in EasyFTP Server <= 1.7.0.11 via the CWD command. It uses a technique called 'fixRet' to inject a larger payload into a smaller buffer by overwriting the return address post-exploitation.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: EasyFTP Server <= 1.7.0.11
No auth needed
Prerequisites: Network access to the target EasyFTP Server · EasyFTP Server version <= 1.7.0.11
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Paul Makowski · rubyremotewindows
https://www.exploit-db.com/exploits/12312

This is a Metasploit module exploiting a stack-based buffer overflow in EasyFTP Server via the CWD command. It uses a custom technique called 'fixRet' to bypass payload size limitations by overwriting the return address post-exploitation.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: EasyFTP Server <= 1.7.0.2
No auth needed
Prerequisites: Network access to the EasyFTP Server · Anonymous or valid FTP credentials
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by blake · rubyremotewindows
https://www.exploit-db.com/exploits/11668

This is a functional Metasploit module exploiting a stack-based buffer overflow in Easy~FTP Server v1.7.0.2 via the CWD command. It includes a payload delivery mechanism and a return address for Windows XP SP3 English.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Easy~FTP Server v1.7.0.2
Auth required
Prerequisites: Valid FTP credentials · Network access to the target FTP server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC GREAT
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/ftp/easyftp_cwd_fixret.rb

This Metasploit module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11 and earlier via the CWD command. It uses a technique called 'fixRet' to inject a larger payload into a smaller buffer by overwriting the return address post-exploitation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: EasyFTP Server <= 1.7.0.11
No auth needed
Prerequisites: Network access to the EasyFTP Server · EasyFTP Server with vulnerable version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Exploit, Mailing List, Third Party Advisory third-party-advisory exploit
https://seclists.org/bugtraq/2010/Feb/202
Exploit, VDB Entry exploit
https://www.exploit-db.com/exploits/12312
Exploit, VDB Entry exploit
https://www.exploit-db.com/exploits/16737
Exploit, VDB Entry exploit
https://www.exploit-db.com/exploits/11668
Exploit, VDB Entry exploit
https://www.exploit-db.com/exploits/14402

Scores

CVSS v3 9.8
EPSS 0.6864
EPSS Percentile 98.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-121
Status published
Products (2)
easyftp_server_project/easyftp_server < 1.7.0.12
KMiNT21 Software/EasyFTP Server < 1.7.0.11
Published Aug 21, 2025
Tracked Since Feb 18, 2026