CVE-2015-3306

NUCLEI

ProFTPD 1.3.5 - Unauthenticated Arbitrary File Read and Write via mod_copy Site Commands

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 26 public exploits for CVE-2015-3306. PoCs published by Shellbr3ak, Metasploit, anonymous, including Metasploit module exploits/unix/ftp/proftpd_modcopy_exec. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages the 'mod_copy' module in ProFTPd 1.3.5 to copy files to a web-accessible directory, achieving remote command execution by writing a PHP file. It uses the SITE CPFR and SITE CPT commands to copy '/etc/passwd' and '/proc/self/fd/3' to a PHP file in the web root.

Description

The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.

Exploits (26)

exploitdb WORKING POC VERIFIED
by Shellbr3ak · pythonremotelinux
https://www.exploit-db.com/exploits/49908

This exploit leverages the 'mod_copy' module in ProFTPd 1.3.5 to copy files to a web-accessible directory, achieving remote command execution by writing a PHP file. It uses the SITE CPFR and SITE CPT commands to copy '/etc/passwd' and '/proc/self/fd/3' to a PHP file in the web root.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ProFTPd 1.3.5 with mod_copy module
No auth needed
Prerequisites: ProFTPd 1.3.5 with mod_copy enabled · Write access to a web-accessible directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/37262

This Metasploit module exploits CVE-2015-3306 in ProFTPD 1.3.5 by leveraging the SITE CPFR/CPTO commands to copy files arbitrarily, ultimately achieving remote code execution via a PHP payload written to the web directory.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ProFTPD 1.3.5
No auth needed
Prerequisites: ProFTPD 1.3.5 with mod_copy enabled · Writable web directory · Access to FTP port (21) and HTTP port (80)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by anonymous · textremotelinux
https://www.exploit-db.com/exploits/36742

This is a writeup describing the exploitation of CVE-2015-3306 in ProFTPD's mod_copy module, where unauthenticated users can abuse SITE CPFR/CPTO commands to copy files, potentially leading to arbitrary file writes or information disclosure.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: ProFTPD 1.3.5rc3 (with mod_copy)
No auth needed
Prerequisites: ProFTPD with mod_copy enabled · Network access to the FTP server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by R-73eN · pythonremotelinux
https://www.exploit-db.com/exploits/36803

This exploit leverages the mod_copy module in ProFTPd 1.3.5 to achieve remote command execution by copying a malicious PHP payload to a web-accessible directory and executing it via HTTP request.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ProFTPd 1.3.5 with mod_copy
No auth needed
Prerequisites: ProFTPd 1.3.5 with mod_copy enabled · Write access to a web-accessible directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 144 stars
by t0kx · poc
https://github.com/t0kx/exploit-CVE-2015-3306

This exploit leverages the mod_copy module in ProFTPD 1.3.5 to achieve remote command execution by copying a malicious PHP payload to the web directory via the site cpfr and site cpto commands. The payload is then triggered via HTTP to execute arbitrary commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ProFTPD 1.3.5 with mod_copy module
No auth needed
Prerequisites: ProFTPD 1.3.5 with mod_copy enabled · Access to the FTP service on port 21 · Web server accessible on port 80
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by nootropics · poc
https://github.com/nootropics/propane

This PoC exploits CVE-2015-3306, an arbitrary file write vulnerability in ProFTPD's mod_copy module, allowing file read, write, and potential remote code execution via a malicious PHP file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ProFTPD with mod_copy module
No auth needed
Prerequisites: Network access to ProFTPD service · mod_copy module enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by cybersensei-EH · poc
https://github.com/cybersensei-EH/hackviser_labs_CVE-2015-3306

This exploit leverages the ProFTPd mod_copy module vulnerability (CVE-2015-3306) to copy a local file (secret.txt) to a web-accessible directory, enabling remote file disclosure. It uses FTP commands to perform the copy operation and verifies success via HTTP.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ProFTPd 1.3.5 with mod_copy module
No auth needed
Prerequisites: ProFTPd 1.3.5 with mod_copy enabled · Network access to FTP port (21) · Write access to web directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 1 stars
by vadimgggg · pythonpoc
https://github.com/vadimgggg/CVE-PoC/tree/main/CVE-2015-3306

This repository provides a functional exploit for CVE-2015-3306, a command injection vulnerability in ProFTPD 1.3.5 via the mod_copy module. The Docker setup deploys a vulnerable ProFTPD instance, and the exploit uses base64-encoded commands to achieve remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ProFTPD 1.3.5 with mod_copy
No auth needed
Prerequisites: Docker environment · Network access to target FTP port (21)
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 1 stars
by jptr218 · poc
https://github.com/jptr218/proftpd_bypass

This PoC exploits CVE-2015-3306, an authentication bypass in ProFTPD's mod_copy, by chaining SITE CPFR and SITE CPTO commands to copy files either locally or remotely without proper authentication.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: ProFTPD with mod_copy (versions prior to 1.3.5a)
No auth needed
Prerequisites: Network access to ProFTPD server with mod_copy enabled · Knowledge of file paths for local/remote copy operations
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by 0xm4ud · poc
https://github.com/0xm4ud/ProFTPD_CVE-2015-3306

This exploit leverages CVE-2015-3306 in ProFTPD 1.3.5 to achieve remote code execution by uploading a PHP backdoor via the 'site cpfr/cpto' commands and executing arbitrary commands through HTTP requests. It supports both direct command execution and reverse shell functionality.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ProFTPD 1.3.5
No auth needed
Prerequisites: Target running ProFTPD 1.3.5 with mod_copy module enabled · Network access to the FTP service (port 21) and HTTP service (port 80)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by cd6629 · poc
https://github.com/cd6629/CVE-2015-3306-Python-PoC

This Python PoC exploits CVE-2015-3306 in ProFTPD by leveraging the mod_copy module to copy a malicious PHP shell to a web-accessible directory, then triggers it via HTTP requests to achieve remote command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ProFTPD with mod_copy module (versions before 1.3.5a)
No auth needed
Prerequisites: Target running vulnerable ProFTPD with mod_copy enabled · Network access to FTP (port 21) and HTTP (port 80) services · Attacker-controlled web server hosting a reverse shell payload
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by davidtavarez · poc
https://github.com/davidtavarez/CVE-2015-3306

This PoC exploits CVE-2015-3306 in ProFTPd 1.3.5 with mod_copy enabled, allowing remote command execution by copying a malicious PHP file to the target web server directory. It uses FTP commands to write a PHP shell and then executes arbitrary commands via HTTP.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ProFTPd 1.3.5 with mod_copy
No auth needed
Prerequisites: ProFTPd with mod_copy enabled · FTP service accessible · Web server running on target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by xyk0x · poc
https://github.com/xyk0x/cpx_proftpd

This repository contains a functional Python exploit for CVE-2015-3306, a vulnerability in ProFTPD that allows arbitrary file copying via the SITE CPFR/CPTO commands. The PoC demonstrates two methods: copying files to a web-accessible directory and uploading a malicious PHP file for remote command execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ProFTPD (versions affected by CVE-2015-3306)
Auth required
Prerequisites: FTP access to the target ProFTPD server · SITE CPFR/CPTO commands enabled
devstral-2 · analyzed Feb 24, 2026 Full analysis →
nomisec WORKING POC 1 stars
by shk0x · poc
https://github.com/shk0x/cpx_proftpd

This PoC exploits CVE-2015-3306 in ProFTPD by leveraging the SITE CPFR/CPTO commands to either copy arbitrary files or upload a malicious PHP shell. It demonstrates both file read and remote code execution via FTP command injection.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ProFTPD (versions affected by CVE-2015-3306)
No auth needed
Prerequisites: Network access to vulnerable ProFTPD server · SITE CPFR/CPTO commands enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by bcononugbor-source · poc
https://github.com/bcononugbor-source/OpenVAS-Vulnerability-Analysis-Incident-Response-Report

This repository provides a detailed technical analysis and incident response workflow for CVE-2015-3306, a critical vulnerability in ProFTPD's mod_copy module. It includes validation steps, MITRE ATT&CK mapping, and remediation recommendations, but does not contain functional exploit code.

Classification
Writeup 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: ProFTPD 1.3.5
No auth needed
Prerequisites: ProFTPD with mod_copy enabled · Network access to port 21
devstral-2 · analyzed Jun 04, 2026 Full analysis →
github WRITEUP
by Zahid-secure · poc
https://github.com/Zahid-secure/cve-walkthrough-labs/tree/main/2015/CVE-2015-3306-kenobi-tryhackme

This is a detailed technical walkthrough of CVE-2015-3306, covering the exploitation of ProFTPD's mod_copy module for unauthenticated file copying and subsequent privilege escalation via SUID binary PATH manipulation. It includes step-by-step enumeration, exploitation, and post-exploitation techniques.

Classification
Writeup 100%
Attack Type
Rce | Lpe
Complexity
Moderate
Reliability
Reliable
Target: ProFTPD 1.3.5 with mod_copy
No auth needed
Prerequisites: network access to target · nmap · smbclient · netcat · mount · ssh
devstral-2 · analyzed Mar 13, 2026 Full analysis →
nomisec WRITEUP
by canpilayda · poc
https://github.com/canpilayda/proftpd-mod_copy-cve-2015-3306

This repository contains a lab report detailing the exploitation of CVE-2015-3306, a vulnerability in ProFTPD 1.3.5's mod_copy module, which allows unauthorized file access. The report includes steps to exploit the vulnerability and mitigation recommendations.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: ProFTPD 1.3.5 with mod_copy
No auth needed
Prerequisites: ProFTPD 1.3.5 with mod_copy enabled · Network access to the vulnerable service
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by netw0rk7 · poc
https://github.com/netw0rk7/CVE-2015-3306-Home-Lab

This repository provides a Docker-based lab environment to simulate CVE-2015-3306, a ProFTPD mod_copy RCE vulnerability. It includes a vulnerable ProFTPD 1.3.5 setup with mod_copy enabled, allowing attackers to copy files to a web directory and achieve remote code execution via a web shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ProFTPD 1.3.5 with mod_copy
No auth needed
Prerequisites: Docker environment · Network access to the target FTP and HTTP ports
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by donmedfor · poc
https://github.com/donmedfor/CVE-2015-3306

This is a functional Python PoC exploit for CVE-2015-3306, a directory traversal vulnerability in ProFTPD. It leverages the SITE CPFR/CPTO commands to drop a PHP backdoor into the webroot, enabling remote command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ProFTPD 1.3.5b and earlier
No auth needed
Prerequisites: Network access to the target FTP service · Write permissions in the target webroot directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Z3R0space · poc
https://github.com/Z3R0space/CVE-2015-3306

This repository contains a functional Python exploit for CVE-2015-3306, targeting ProFTPd 1.3.5's mod_copy module. The exploit copies an SSH private key to a remote location and mounts it locally, enabling unauthorized SSH access.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ProFTPd 1.3.5 with mod_copy
No auth needed
Prerequisites: ProFTPd 1.3.5 with mod_copy enabled · network access to the target FTP server
devstral-2 · analyzed Feb 25, 2026 Full analysis →
nomisec WORKING POC
by Z3R0-0x30 · poc
https://github.com/Z3R0-0x30/CVE-2015-3306

This exploit leverages the ProFTPd 1.3.5 mod_copy vulnerability (CVE-2015-3306) to copy an SSH private key to a remote directory via the SITE CPFR and SITE CPT commands, then mounts the remote directory locally for access.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ProFTPd 1.3.5 with mod_copy
No auth needed
Prerequisites: Network access to ProFTPd server · mod_copy module enabled · SSH private key location · Write permissions on target directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by JoseLRC97 · poc
https://github.com/JoseLRC97/ProFTPd-1.3.5-mod_copy-Remote-Command-Execution

This Python script exploits CVE-2015-3306 in ProFTPD 1.3.5 by leveraging the 'mod_copy' module to achieve remote command execution via crafted SITE CPFR/CPTO commands. It writes a PHP payload to a target directory and triggers execution via HTTP request.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ProFTPD 1.3.5 with mod_copy module
No auth needed
Prerequisites: FTP service accessible on target port · mod_copy module enabled in ProFTPD · Write permissions in target directories
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by hackarada · poc
https://github.com/hackarada/cve-2015-3306

This repository provides a Docker image for CVE-2015-3306 but lacks actual exploit code. The main.sh script only starts Apache, and the README provides basic Docker commands without technical details on exploitation.

Classification
Stub 80%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: ProFTPD (mod_copy module) 1.3.5
No auth needed
Prerequisites: Docker environment
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by cved-sources · poc
https://github.com/cved-sources/cve-2015-3306

This repository contains a Docker-based PoC for CVE-2015-3306, a vulnerability in ProFTPD mod_copy. The main.sh script starts Apache and ProFTPD in a vulnerable configuration, likely to demonstrate the exploit.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ProFTPD with mod_copy module
No auth needed
Prerequisites: Docker environment · Vulnerable ProFTPD installation with mod_copy enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by cdedmondson · poc
https://github.com/cdedmondson/Modified-CVE-2015-3306-Exploit

This is a modified exploit for CVE-2015-3306, a ProFTPD command injection vulnerability. It leverages the original exploit to upload a PHP backdoor and then fetches a reverse shell using either wget or curl.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ProFTPD (versions affected by CVE-2015-3306)
No auth needed
Prerequisites: Network access to the target ProFTPD server · A hosted PHP reverse shell · A listener for the reverse shell connection
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Vadim Melihow · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb

This Metasploit module exploits CVE-2015-3306 in ProFTPD 1.3.5 by leveraging the SITE CPFR/CPTO commands to copy files arbitrarily, ultimately achieving remote code execution via a PHP payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ProFTPD 1.3.5
No auth needed
Prerequisites: ProFTPD 1.3.5 with mod_copy enabled · Writable web directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

ProFTPd - Remote Code Execution
CRITICALby pdteam
Shodan: cpe:"cpe:2.3:a:proftpd:proftpd"

References (14)

Core 14
Core References
Exploit exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/36803/
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2015/dsa-3263
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2015-06/msg00020.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157053.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157054.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/74238
Exploit exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/36742/
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157581.html
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/131505/ProFTPd-1.3.5-File-Copy.html

Scores

EPSS 0.9384
EPSS Percentile 99.9%

Details

CWE
CWE-284
Status published
Products (1)
proftpd/proftpd 1.3.5
Published May 18, 2015
Tracked Since Feb 18, 2026