cbcvebase.
CVE-2008-5666
published 2008-12-19

CVE-2008-5666: WinFTP FTP Server 2.3.0, when passive (aka PASV) mode is used, allows remote authenticated users to cause a denial of service via a sequence of FTP sessions…

PriorityP419low3.5CVSS 2.0
AVNACMAuSCNINAP
EXPLOIT
EPSS
20.59%
97.2th percentile
WinFTP FTP Server 2.3.0, when passive (aka PASV) mode is used, allows remote authenticated users to cause a denial of service via a sequence of FTP sessions that include an invalid "NLST -1" command.

Affected

1 ranges
VendorProductVersion rangeFixed in
wftpserverwinftp_ftp_server

Detection & IOCsextracted from sources · hover to see the quote

commandNLST -1
commandPASV
filenamewinftpsrv.exe
versionWinFTP FTP Server 2.3.0
  • Detect repeated FTP sessions sending the sequence PASV followed immediately by 'NLST -1' — this is the exact attack pattern for the DoS trigger in passive mode.
  • Alert on FTP NLST commands containing the argument '-1', especially when preceded by a PASV command in the same session, targeting winftpsrv.exe.
  • Monitor for rapid, looping FTP connection attempts (sleep of 0.2 seconds between sessions) sending PASV+NLST -1 — indicative of automated DoS exploitation.
  • Even anonymous FTP accounts can trigger this DoS if they have NLST permission; flag anonymous logins followed by NLST -1 on WinFTP 2.3.0 servers.
  • A secondary exploit variant uses a long repeated '..?' pattern (~35000 repetitions) as the NLST argument; detect abnormally long NLST argument strings on port 21.
  • ·The DoS is specifically triggered only when passive (PASV) mode is in use; the vulnerability does not apply to active mode FTP sessions.
  • ·Authentication is required, but the privilege bar is low — anonymous accounts with NLST permission are sufficient to exploit this vulnerability.

CVSS provenance

nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:N/A:P
vendor_redhat6.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.