CVE-2012-10030
published 2025-08-05CVE-2012-10030: FreeFloat FTP Server contains multiple critical design flaws that allow unauthenticated remote attackers to upload arbitrary files to sensitive system…
PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.48%
70.7th percentile
FreeFloat FTP Server contains multiple critical design flaws that allow unauthenticated remote attackers to upload arbitrary files to sensitive system directories. The server accepts empty credentials, defaults user access to the root of the C:\ drive, and imposes no restrictions on file type or destination path. These conditions enable attackers to upload executable payloads and .mof files to locations such as system32 and wbem\mof, where Windows Management Instrumentation (WMI) automatically processes and executes them. This results in remote code execution with SYSTEM-level privileges, without requiring user interaction.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freefloat | freefloat_ftp_server | — | — |
| freefloat | ftp_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →FreeFloat FTP Server accepts empty/blank credentials — detect anonymous or empty-username FTP login attempts to FreeFloat FTP Server instances ↗
- →Monitor FTP write commands (STOR) depositing .mof or executable files into system32 or wbem\mof directories, which triggers automatic WMI execution ↗
- →Alert on new .mof files appearing in the wbem\mof directory from non-administrative processes, as this is the WMI auto-execution trigger path used by this exploit ↗
- →Detect FTP sessions where the working directory cannot be changed from C:\ root — this is a behavioral fingerprint of FreeFloat FTP Server exploitation ↗
- →Monitor for SYSTEM-level process creation originating from WMI service (WmiPrvSE.exe) shortly after FTP file upload activity, indicating successful exploitation ↗
- ·FreeFloat FTP Server has no authentication enforcement — there is no configuration option to require credentials, making network-level blocking the only mitigation ↗
- ·The server enforces no file type or destination path restrictions, meaning ACL-based controls at the FTP layer are absent and cannot be relied upon for defense ↗
- ·The default working directory is hardcoded to C:\ root and cannot be changed by configuration, giving any authenticated (or unauthenticated) session full filesystem write access ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://archive.org/details/tucows_367516_Freefloat_FTP_Serverhttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/ftp/freefloatftp_wbem.rbhttps://www.exploit-db.com/exploits/23226https://www.fortiguard.com/encyclopedia/ips/34209/freefloat-ftp-server-arbitrary-file-uploadhttps://www.vulncheck.com/advisories/freefloat-ftp-server-arbitrary-file-uploadhttps://www.exploit-db.com/exploits/23226
2025-08-05
Published