cbcvebase.
CVE-2023-22629
published 2023-02-14

CVE-2023-22629: An issue was discovered in TitanFTP through 1.94.1205. The move-file function has a path traversal vulnerability in the newPath parameter. An authenticated…

PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
12.32%
95.7th percentile
An issue was discovered in TitanFTP through 1.94.1205. The move-file function has a path traversal vulnerability in the newPath parameter. An authenticated attacker can upload any file and then move it anywhere on the server's filesystem.

Affected

1 ranges
VendorProductVersion rangeFixed in
southrivertechtitan_ftp_server<= 1.94.1205

Detection & IOCsextracted from sources · hover to see the quote

othernewPath
otherTitanFTP ([0-9.]+)
urlhttp://packetstormsecurity.com/files/171737/Titan-FTP-Path-Traversal.html
urlhttps://f20.be/blog/titanftp
yara
contains(raw, 'TitanFTP') AND compare_versions(version, '<= 1.94.1205')
  • Detect vulnerable TitanFTP servers on TCP/21 by sending a hex probe (00000000) and matching the banner string 'TitanFTP' with version <= 1.94.1205.
  • Extract TitanFTP version from banner using regex 'TitanFTP ([0-9.]+)' to identify vulnerable instances.
  • Shodan query 'product:"Titan ftpd"' can be used to identify internet-exposed TitanFTP servers for proactive detection.
  • Monitor authenticated FTP sessions for move-file requests where the newPath parameter contains path traversal sequences (e.g., '../') to detect exploitation attempts.
  • The exploit chain involves file upload followed by a move-file call with a traversal newPath; alert on authenticated users performing file moves to paths outside their home directory.
  • ·Exploitation requires prior authentication; unauthenticated attackers cannot directly exploit this path traversal vulnerability.
  • ·The vulnerability affects TitanFTP versions through 1.94.1205; the exploit PoC was tested against version 2.0.1.2102 on Windows Server 2022, indicating the issue persisted across multiple release branches.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.