CVE-2020-6857

MEDIUM

Taskautomation Carbonftp - Broken Cryptographic Algorithm

Title source: rule

Description

CarbonFTP v1.4 uses insecure proprietary password encryption with a hard-coded weak encryption key. The key for local FTP server passwords is hard-coded in the binary.

Exploits (1)

exploitdb WORKING POC

by hyp3rlinx · pythonremotewindows

https://www.exploit-db.com/exploits/48363

View Code ZIP pw:eip

References (6)

[Exploit, Third Party Advisory] http://hyp3rlinx.altervista.org

[Exploit, Mailing List, Third Party Advisory] https://seclists.org/bugtraq/2020/Jan/30

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/156015/Neowise-CarbonFTP-1.4-Insecure-Proprietary-Password-Encryption.html

[Exploit, Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2020/Jan/29

[Exploit, Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2020/Jan/35

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/157321/Neowise-CarbonFTP-1.4-Insecure-Proprietary-Password-Encryption.html

Scores

CVSS v3 5.5

EPSS 0.0013

EPSS Percentile 31.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-327 CWE-798

Status published

Products (1)

taskautomation/carbonftp 1.4

Published Jan 21, 2020

Tracked Since Feb 18, 2026