CVE-2011-2523
published 2019-11-27CVE-2011-2523: vsftpd 2.3.4 downloaded between 20110630 and 20110703 contains a backdoor which opens a shell on port 6200/tcp.
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
96.18%
99.9th percentile
vsftpd 2.3.4 downloaded between 20110630 and 20110703 contains a backdoor which opens a shell on port 6200/tcp.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | vsftpd | — | — |
| vsftpd | vsftpd | — | — |
| vsftpd_project | vsftpd | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect the backdoor trigger pattern: any FTP USER command containing a smiley face ':)' suffix (e.g., 'USER <anything>:)') on port 21/tcp is the backdoor activation sequence for CVE-2011-2523. ↗
- →Monitor for unexpected new listening service on port 6200/tcp following an FTP connection to vsftpd 2.3.4; this indicates successful backdoor activation. ↗
- →Detect connection attempts to port 6200/tcp immediately after an FTP session to port 21/tcp on the same host; this two-step connection pattern is characteristic of the backdoor exploit. ↗
- →The Metasploit module exploit/unix/ftp/vsftpd_234_backdoor (disclosed 2011-07-03) can be used to verify presence of the backdoor; detection of this module's traffic pattern (USER with ':)' then immediate TCP connect to port 6200) is a strong indicator of exploitation. ↗
- →After connecting to the backdoor shell on port 6200, the exploit sends 'id\n' and expects 'uid=' in the response to confirm shell access; monitor for this pattern in network traffic on port 6200. ↗
- ·The backdoor is only present in vsftpd-2.3.4.tar.gz downloaded between June 30th and July 3rd 2011; installations from outside this window or from trusted package managers are not affected. ↗
- ·A host firewall blocking port 6200/tcp will prevent the backdoor shell from being reached even if the backdoor is triggered, as observed in the HackTheBox 'Lame' machine scenario. ↗
- ·The backdoor cannot be reached if the FTP server is configured for anonymous-only access, as the USER command with ':)' suffix will return a 530 response before the backdoor code path is executed. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
vsftpd: backdoor which opens a shell on port 6200/tcp
vendor_redhat·2011-07-04·CVSS 9.8
CVE-2011-2523 [CRITICAL] CWE-78 vsftpd: backdoor which opens a shell on port 6200/tcp
vsftpd: backdoor which opens a shell on port 6200/tcp
vsftpd 2.3.4 downloaded between 20110630 and 20110703 contains a backdoor which opens a shell on port 6200/tcp.
Statement: Not vulnerable. This issue did not affect the versions of vsftpd as shipped with Red Hat Enterprise Linux 3, 4, 5, or 6.
Package: vsftpd (Red Hat Enterprise Linux 5) - Not affected
Package: vsftpd (Red Hat Enterprise Linux 6) - Not affected
Package: vsftpd (Red Hat Enterprise Linux 7) - Not affected
Package: vsftpd (Red Hat Enterprise Linux 8) - Not affected
Debian
CVE-2011-2523: vsftpd - vsftpd 2.3.4 downloaded between 20110630 and 20110703 contains a backdoor which ...
vendor_debian·2011·CVSS 9.8
CVE-2011-2523 [CRITICAL] CVE-2011-2523: vsftpd - vsftpd 2.3.4 downloaded between 20110630 and 20110703 contains a backdoor which ...
vsftpd 2.3.4 downloaded between 20110630 and 20110703 contains a backdoor which opens a shell on port 6200/tcp.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
GHSA-qf3g-hgw2-8r8h: vsftpd 2
ghsa_unreviewed·2022-04-22
CVE-2011-2523 [HIGH] CWE-78 GHSA-qf3g-hgw2-8r8h: vsftpd 2
vsftpd 2.3.4 downloaded between 20110630 and 20110703 contains a backdoor which opens a shell on port 6200/tcp.
No detection rules found.
Exploit-DB
vsftpd 2.3.4 - Backdoor Command Execution
exploitdb·2021-04-12·CVSS 9.8
CVE-2011-2523 [CRITICAL] vsftpd 2.3.4 - Backdoor Command Execution
vsftpd 2.3.4 - Backdoor Command Execution
---
# Exploit Title: vsftpd 2.3.4 - Backdoor Command Execution
# Date: 9-04-2021
# Exploit Author: HerculesRD
# Software Link: http://www.linuxfromscratch.org/~thomasp/blfs-book-xsl/server/vsftpd.html
# Version: vsftpd 2.3.4
# Tested on: debian
# CVE : CVE-2011-2523
#!/usr/bin/python3
from telnetlib import Telnet
import argparse
from signal import signal, SIGINT
from sys import exit
def handler(signal_received, frame):
# Handle any cleanup here
print(' [+]Exiting...')
exit(0)
signal(SIGINT, handler)
parser=argparse.ArgumentParser()
parser.add_argument("host", help="input the address of the vulnerable host", type=str)
args = parser.parse_args()
host = args.host
portFTP = 21 #if necessary edit this line
user="USER nergal:)"
password="PASS pass
Exploit-DB
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)
exploitdb·2011-07-05
CVE-2011-2523 vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)
---
##
# $Id: vsftpd_234_backdoor.rb 13099 2011-07-05 05:20:47Z hdm $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'VSFTPD v2.3.4 Backdoor Command Execution',
'Description' => %q{
This module exploits a malicious backdoor that was added to the VSFTPD download
archive. This backdoor was introdcued into the vsftpd-2.3.4.tar.gz archive between
June 30th 2011 and July 1st 2011 according to the most recent information
available. This backdoor was removed on July 3rd 2011.
},
'Author' => [
Metasploit
VSFTPD 2.3.4 Backdoor Command Execution
metasploit
VSFTPD 2.3.4 Backdoor Command Execution
VSFTPD 2.3.4 Backdoor Command Execution
This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011.
Nuclei
VSFTPD 2.3.4 - Backdoor Command Execution
nuclei·CVSS 9.8
CVE-2011-2523 [CRITICAL] VSFTPD 2.3.4 - Backdoor Command Execution
VSFTPD 2.3.4 - Backdoor Command Execution
VSFTPD v2.3.4 had a serious backdoor vulnerability allowing attackers to execute arbitrary commands on the server with root-level access. The backdoor was triggered by a specific string of characters in a user login request, which allowed attackers to execute any command they wanted.
Template:
id: CVE-2011-2523
info:
name: VSFTPD 2.3.4 - Backdoor Command Execution
author: pussycat0x
severity: critical
description: |
VSFTPD v2.3.4 had a serious backdoor vulnerability allowing attackers to execute arbitrary commands on the server with root-level access. The backdoor was triggered by a specific string of characters in a user login request, which allowed attackers to execute any command they wanted.
impact: |
Successful exploitation of this vulnera
Bugzilla
CVE-2011-2523 vsftpd: backdoor which opens a shell on port 6200/tcp
bugzilla·2019-12-02·CVSS 9.8
CVE-2011-2523 [CRITICAL] CVE-2011-2523 vsftpd: backdoor which opens a shell on port 6200/tcp
CVE-2011-2523 vsftpd: backdoor which opens a shell on port 6200/tcp
vsftpd 2.3.4 downloaded between 20110630 and 20110703 contains a backdoor which opens a shell on port 6200/tcp.
Reference:
https://vigilance.fr/vulnerability/vsftpd-backdoor-in-version-2-3-4-10805
https://packetstormsecurity.com/files/102745/VSFTPD-2.3.4-Backdoor-Command-Execution.html
Discussion:
vsftpd 2.3.4 was not included in any Red Hat Enterprise Linux version. The backdoor was not found in the vsftpd versions that are shipped with Red Hat Enterprise Linux 5, 6, 7, or 8.
Wiz
CVE-2025-14242 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-14242 [CRITICAL] CVE-2025-14242 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14242 :
vsftpd vulnerability analysis and mitigation
A flaw was found in vsftpd. This vulnerability allows a denial of service (DoS) via an integer overflow in the ls command parameter parsing, triggered by a remote, authenticated attacker sending a crafted STAT command with a specific byte sequence.
Source : NVD
## 6.5
Score
Published January 14, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
vsftpd
Linux Fedora
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 34.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
vsftpd-debuginfo
vsftpd-debugsource
Sources
NVD
AlmaLinux 8 Severity MEDIUM Has Fix Added at: Jan 20, 2026
AlmaLinux 9 Severi
arXiv
PenHeal: A Two-Stage LLM Framework for Automated Pentesting and Optimal Remediation
arxiv_fulltext·2024-07-25
PenHeal: A Two-Stage LLM Framework for Automated Pentesting and Optimal Remediation
PenHeal:
A Two-Stage LLM Framework for Automated Pentesting and Optimal Remediation
Junjie Huang
[email protected]
New York University Shanghai
Shanghai
China
Quanyan Zhu
[email protected]
New York University
New York
USA
Huang et al.
## Abstract
Recent advances in Large Language Models (LLMs) have shown significant potential in enhancing cybersecurity defenses against sophisticated threats. LLM-based penetration testing is an essential step in automating system security evaluations by identifying vulnerabilities. Remediation, the subsequent crucial step, addresses these discovered vulnerabilities. Since details about vulnerabilities, exploitation methods, and software versions offer crucial insights into system weaknesses, integrating penetration testing with vulnerability remedia
arXiv
Autosploit: A Fully Automated Framework for Evaluating the Exploitability of Security Vulnerabilities
arxiv_fulltext·2020-06-30
Autosploit: A Fully Automated Framework for Evaluating the Exploitability of Security Vulnerabilities
: A Fully Automated Framework for Evaluating
the Exploitability of Security Vulnerabilities
Noam Moscovich [1], Ron Bitton [1], Yakov Mallah [1], Masaki Inokuchi [2], Tomohiko Yagyu [2], Yuval Elovici [1] and Asaf Shabtai [1]
[1]Dept. of Software and Information Systems Engineering, Ben-Gurion University of the Negev
[2]NEC Corporation
## Abstract
The existence of a security vulnerability in a system does not necessarily mean that it can be exploited.
In this research, we introduce an automated framework for evaluating the exploitability of vulnerabilities.
Given a vulnerable environment and relevant exploits, will automatically test the exploits on different configurations of the environment in order to identify the specific properties necessary for successful exploitation of the exi
CTF
Lame / walkthrough
ctf_writeups·CVSS 6.0
[MEDIUM] Lame / walkthrough
# Lame
Linux · Easy
# Task 1:
## How many of the nmap top 1000 TCP ports are open on the remote host?
```
4
```
# Task 2:
## What version of VSFTPd is running on Lame?
```
2.3.4
```
# Task 3:
## There is a famous backdoor in VSFTPd version 2.3.4, and a Metasploit module to exploit it. Does that exploit work here?
```
no
```
# Task 4:
## What version of Samba is running on Lame? Give the numbers up to but not including "-Debian".
```
3.0.20
```
# Task 5:
## What 2007 CVE allows for remote code execution in this version of Samba via shell metacharacters involving the SamrChangePassword function when the "username map script" option is enabled in smb.conf?
```
CVE-2007-2447
```
# Task 6:
## Exploiting CVE-2007-2447 returns a shell as which user?
```
root
```
# Task 7:
## Submit the flag
http://packetstormsecurity.com/files/162145/vsftpd-2.3.4-Backdoor-Command-Execution.htmlhttps://access.redhat.com/security/cve/cve-2011-2523https://packetstormsecurity.com/files/102745/VSFTPD-2.3.4-Backdoor-Command-Execution.htmlhttps://security-tracker.debian.org/tracker/CVE-2011-2523https://vigilance.fr/vulnerability/vsftpd-backdoor-in-version-2-3-4-10805https://www.openwall.com/lists/oss-security/2011/07/11/5http://packetstormsecurity.com/files/162145/vsftpd-2.3.4-Backdoor-Command-Execution.htmlhttps://access.redhat.com/security/cve/cve-2011-2523https://packetstormsecurity.com/files/102745/VSFTPD-2.3.4-Backdoor-Command-Execution.htmlhttps://security-tracker.debian.org/tracker/CVE-2011-2523https://vigilance.fr/vulnerability/vsftpd-backdoor-in-version-2-3-4-10805https://www.openwall.com/lists/oss-security/2011/07/11/5
2019-11-27
Published