cbcvebase.
CVE-2010-2620
published 2010-07-02

CVE-2010-2620: Open&Compact FTP Server (Open-FTPD) 1.2 and earlier allows remote attackers to bypass authentication by sending (1) LIST, (2) RETR, (3) STOR, or other commands…

PriorityP270critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
28.61%
97.9th percentile
Open&Compact FTP Server (Open-FTPD) 1.2 and earlier allows remote attackers to bypass authentication by sending (1) LIST, (2) RETR, (3) STOR, or other commands without performing the required login steps first.

Affected

2 ranges
VendorProductVersion rangeFixed in
open-ftpdopen-ftpd<= 1.2
open-ftpdopen-ftpd

Detection & IOCsextracted from sources · hover to see the quote

versionOpen&Compact FTP Server (Open-FTPD) <= 1.2
commandLIST (unauthenticated)
commandRETR (unauthenticated)
commandSTOR (unauthenticated)
commandCWD C:\\windows\\repair\\ (unauthenticated directory traversal)
commandRETR sam (unauthenticated SAM file retrieval)
pathC:\windows\repair\sam
  • Alert on FTP banner matching '** Welcome on **' — the Metasploit module uses this exact string to fingerprint vulnerable Open-FTPD instances.
  • Detect STOR of .exe files into C:\WINDOWS\system32\ followed by STOR of .mof files into C:\WINDOWS\system32\wbem\mof\ over FTP — this is the WMI-based code execution chain.
  • ·The WMI MOF-based code execution technique (dropping .mof into wbem\mof\) only works on Windows versions prior to Vista; the exploit will not achieve code execution on Vista or later.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.