CVE-2020-6857

MEDIUM

CarbonFTP 1.4 - Use of a Broken or Risky Cryptographic Algorithm

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-6857. PoCs published by hyp3rlinx.

AI-analyzed exploit summary This exploit decrypts passwords stored by Neowise CarbonFTP 1.4 due to a weak hardcoded encryption key. It processes encrypted passwords from configuration files or direct input, reversing the proprietary encryption algorithm.

Description

CarbonFTP v1.4 uses insecure proprietary password encryption with a hard-coded weak encryption key. The key for local FTP server passwords is hard-coded in the binary.

Exploits (1)

exploitdb WORKING POC
by hyp3rlinx · pythonremotewindows
https://www.exploit-db.com/exploits/48363

This exploit decrypts passwords stored by Neowise CarbonFTP 1.4 due to a weak hardcoded encryption key. It processes encrypted passwords from configuration files or direct input, reversing the proprietary encryption algorithm.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Neowise CarbonFTP 1.4
No auth needed
Prerequisites: Access to victim's CarbonFTP configuration files or an encrypted password string
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit, Third Party Advisory x_refsource_misc
http://hyp3rlinx.altervista.org
Exploit, Mailing List, Third Party Advisory x_refsource_misc
https://seclists.org/bugtraq/2020/Jan/30
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2020/Jan/29
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2020/Jan/35

Scores

CVSS v3 5.5
EPSS 0.0097
EPSS Percentile 57.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-327 CWE-798
Status published
Products (1)
taskautomation/carbonftp 1.4
Published Jan 21, 2020
Tracked Since Feb 18, 2026