cbcvebase.
CVE-2010-20115
published 2025-08-21

CVE-2010-20115: Arcane Software’s Vermillion FTP Daemon (vftpd) versions up to and including 1.31 contains a memory corruption vulnerability triggered by a malformed FTP PORT…

PriorityP265critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
0.86%
53.9th percentile
Arcane Software’s Vermillion FTP Daemon (vftpd) versions up to and including 1.31 contains a memory corruption vulnerability triggered by a malformed FTP PORT command. The flaw arises from an out-of-bounds array access during input parsing, allowing an attacker to manipulate stack memory and potentially execute arbitrary code. Exploitation requires direct access to the FTP service and is constrained by a single execution attempt if the daemon is installed as a Windows service.

Affected

1 ranges
VendorProductVersion rangeFixed in
arcane_softwarevermillion_ftp_daemon<= 1.31

Detection & IOCsextracted from sources · hover to see the quote

processvftpd.exe
commandMalformed FTP PORT command
  • Detect anomalous FTP PORT commands with non-standard or oversized arguments targeting vftpd; the exploit crafts input to manipulate the low two bytes of the return address to redirect execution to a 'call edi' gadget within the binary.
  • Monitor FTP PORT command arguments containing non-numeric, non-comma characters or unusually long comma-delimited fields; the vulnerable parser ignores non-digit/non-comma bytes but continues walking the input while the source byte is non-null, enabling stack corruption via arithmetic accumulation (*q = (*q * 10) + (*p - '0')).
  • Alert on vftpd.exe process crashes or single-instance service termination without restart; if installed as a Windows service the daemon does not restart automatically, meaning a crash is a strong indicator of an exploitation attempt.
  • ·Exploitation is limited to a single attempt when vftpd is installed as a Windows service, because the service does not restart automatically after a crash. Defenders should note that a single malformed PORT command causing service termination is sufficient evidence of an attack.
  • ·The exploit writes into a 4-byte stack buffer via attacker-controlled arithmetic, not a simple byte copy. Signature-based detection must account for the indirect corruption mechanism rather than a straightforward overflow pattern.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.