CVE-2010-20115
published 2025-08-21CVE-2010-20115: Arcane Software’s Vermillion FTP Daemon (vftpd) versions up to and including 1.31 contains a memory corruption vulnerability triggered by a malformed FTP PORT…
PriorityP265critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
0.86%
53.9th percentile
Arcane Software’s Vermillion FTP Daemon (vftpd) versions up to and including 1.31 contains a memory corruption vulnerability triggered by a malformed FTP PORT command. The flaw arises from an out-of-bounds array access during input parsing, allowing an attacker to manipulate stack memory and potentially execute arbitrary code. Exploitation requires direct access to the FTP service and is constrained by a single execution attempt if the daemon is installed as a Windows service.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arcane_software | vermillion_ftp_daemon | <= 1.31 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect anomalous FTP PORT commands with non-standard or oversized arguments targeting vftpd; the exploit crafts input to manipulate the low two bytes of the return address to redirect execution to a 'call edi' gadget within the binary. ↗
- →Monitor FTP PORT command arguments containing non-numeric, non-comma characters or unusually long comma-delimited fields; the vulnerable parser ignores non-digit/non-comma bytes but continues walking the input while the source byte is non-null, enabling stack corruption via arithmetic accumulation (*q = (*q * 10) + (*p - '0')). ↗
- →Alert on vftpd.exe process crashes or single-instance service termination without restart; if installed as a Windows service the daemon does not restart automatically, meaning a crash is a strong indicator of an exploitation attempt. ↗
- ·Exploitation is limited to a single attempt when vftpd is installed as a Windows service, because the service does not restart automatically after a crash. Defenders should note that a single malformed PORT command causing service termination is sufficient evidence of an attack. ↗
- ·The exploit writes into a 4-byte stack buffer via attacker-controlled arithmetic, not a simple byte copy. Signature-based detection must account for the indirect corruption mechanism rather than a straightforward overflow pattern. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/ftp/vermillion_ftpd_port.rbhttps://web.archive.org/web/20100213162028/http://www.softsea.com/review/Vermillion-FTP-Daemon.htmlhttps://web.archive.org/web/20100416140657/http://www.global-evolution.info/news/files/vftpd/vftpd.txthttps://www.broadcom.com/support/security-center/attacksignatures/detail?asid=23681https://www.exploit-db.com/exploits/11293https://www.juniper.net/us/en/threatlabs/ips-signatures/detail.FTP:EXPLOIT:VERMILLION-PORT-OF.htmlhttps://www.vulncheck.com/advisories/vermillion-ftp-daemon-port-command-memory-corruptionhttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/ftp/vermillion_ftpd_port.rbhttps://www.exploit-db.com/exploits/11293
2025-08-21
Published