cbcvebase.
CVE-2012-10055
published 2025-08-13

CVE-2012-10055: ComSndFTP FTP Server version 1.3.7 Beta contains a format string vulnerability in its handling of the USER command. By sending a specially crafted username…

PriorityP269critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.99%
78.2th percentile
ComSndFTP FTP Server version 1.3.7 Beta contains a format string vulnerability in its handling of the USER command. By sending a specially crafted username containing format specifiers, a remote attacker can overwrite a hardcoded function pointer in memory (specifically WSACleanup from Ws2_32.dll). This allows the attacker to redirect execution flow and bypass DEP protections using a ROP chain, ultimately leading to arbitrary code execution. The vulnerability is exploitable without authentication and affects default configurations.

Affected

1 ranges
VendorProductVersion rangeFixed in
comsndftpftp_server

Detection & IOCsextracted from sources · hover to see the quote

versionComSndFTP 1.3.7 Beta
commandUSER <format_string_specifiers>
pathWs2_32.dll!WSACleanup
  • Alert on FTP USER commands containing format string specifiers (e.g., %n, %x, %s, %p) — these are the crafted payloads used to trigger the write-4 vulnerability.
  • Monitor for unauthenticated FTP USER command attempts that trigger abnormal process behavior or crashes in ComSndFTP — exploitation requires no authentication.
  • Watch for memory writes targeting the WSACleanup function pointer in Ws2_32.dll from within the ComSndFTP process — this is the specific overwrite target used to redirect execution flow.
  • Detect ROP chain activity (DEP bypass) originating from the ComSndFTP server process following receipt of a malformed USER command.
  • The SEH (Structured Exception Handler) exit path is the preferred exploitation route; monitor for SEH chain manipulation within the ComSndFTP process.
  • When Meterpreter payload is used, the ComSndFTP process will remain alive post-exploitation — a persistent, long-lived ComSndFTP process with active network sessions after a suspicious USER command is a strong indicator of compromise.
  • ·The vulnerability affects only ComSndFTP version 1.3.7 Beta specifically; other versions are not confirmed vulnerable.
  • ·The exploit targets a hardcoded function pointer address for WSACleanup in Ws2_32.dll; the address may vary across different Windows versions/patch levels, affecting reliability of detection signatures based on static addresses.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.