CVE-2011-4722

Ipswitch TFTP Server 1.0.0.24 - Path Traversal via RRQ Filename Field

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2011-4722. PoCs published by SecPod Research, Prabhu S Angadi, sinn3r, juan vazquez, including Metasploit module auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp.

AI-analyzed exploit summary This exploit demonstrates a directory traversal vulnerability in Ipswitch TFTP Server 1.0.0.24, allowing an attacker to read arbitrary files by sending a crafted TFTP Read Request with '../' sequences. The PoC sends a UDP packet to retrieve the 'boot.ini' file from the target system.

Description

Directory traversal vulnerability in the TFTP Server 1.0.0.24 in Ipswitch WhatsUp Gold allows remote attackers to read arbitrary files via a .. (dot dot) in the Filename field of an RRQ operation.

Exploits (2)

exploitdb WORKING POC VERIFIED
by SecPod Research · textremotewindows
https://www.exploit-db.com/exploits/18189

This exploit demonstrates a directory traversal vulnerability in Ipswitch TFTP Server 1.0.0.24, allowing an attacker to read arbitrary files by sending a crafted TFTP Read Request with '../' sequences. The PoC sends a UDP packet to retrieve the 'boot.ini' file from the target system.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Ipswitch TFTP Server 1.0.0.24
No auth needed
Prerequisites: Network access to the TFTP server (UDP port 69)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by Prabhu S Angadi, sinn3r, juan vazquez · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp.rb

This Metasploit module exploits a directory traversal vulnerability in IpSwitch WhatsUp Gold's TFTP service (CVE-2011-4722) to read arbitrary files from the target system. It sends a crafted TFTP request with traversal sequences to retrieve files like 'windows\win.ini' and saves the output to disk.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: IpSwitch WhatsUp Gold TFTP service
No auth needed
Prerequisites: Network access to the TFTP service (UDP port 69)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Various Sources vendor-advisory x_refsource_hp
https://h20565.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c05054714
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/77455
Exploit x_refsource_misc
http://secpod.org/blog/?p=424
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/47025
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1026368
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/71610
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/18189/

Scores

EPSS 0.5760
EPSS Percentile 99.0%

Details

CWE
CWE-22
Status published
Products (1)
ipswitch/tftp_server 1.0.0.24
Published Dec 28, 2014
Tracked Since Feb 18, 2026