cbcvebase.
CVE-2010-20103
published 2025-08-20

CVE-2010-20103: A malicious backdoor was embedded in the official ProFTPD 1.3.3c source tarball distributed between November 28 and December 2, 2010. The backdoor implements a…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.75%
90.8th percentile
A malicious backdoor was embedded in the official ProFTPD 1.3.3c source tarball distributed between November 28 and December 2, 2010. The backdoor implements a hidden FTP command trigger that, when invoked, causes the server to execute arbitrary shell commands with root privileges. This allows remote, unauthenticated attackers to run any OS command on the FTP server host.

Affected

2 ranges
VendorProductVersion rangeFixed in
proftpdproftpd
proftpd_projectproftpd

Detection & IOCsextracted from sources · hover to see the quote

commandHELP ACIDBITCHEZ
versionProFTPD 1.3.3c
  • Detect exploitation attempts by monitoring FTP traffic for the hidden backdoor trigger command 'HELP ACIDBITCHEZ' sent to port 21.
  • Flag any FTP server banner advertising 'ProFTPD 1.3.3c' as potentially running the backdoored binary; the compromised tarball was distributed between November 28 and December 2, 2010.
  • A server response that does NOT contain '502 Unknown command' after sending 'HELP ACIDBITCHEZ' is a strong indicator the backdoor is active and the command was accepted.
  • ·The backdoor is only present in the official source tarballs (proftpd-1.3.3c.tar.bz2 and proftpd-1.3.3c.tar.gz) distributed during the specific window; binaries compiled from uncompromised sources or other versions are not affected.
  • ·Exploitation requires no authentication; any remote attacker can trigger the backdoor command and gain root-level shell execution without credentials.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.