CVE-2026-42167
published 2026-04-28CVE-2026-42167: mod_sql in ProFTPD before 1.3.9a allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an…
PriorityP181high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
5.00%
91.2th percentile
mod_sql in ProFTPD before 1.3.9a allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| proftpd | proftpd | >= 1.3.7b < 1.3.9a | 1.3.9a |
Detection & IOCsextracted from sources · hover to see the quote
commandUSER ', null, null); INSERT INTO users VALUES($${{randstr}}$$, $${{randstr}}$$, 0, 0, $$/$$, $$/bin/bash$$); --'
port2121
other220 ProFTPD
- →Detect exploit attempt by monitoring FTP USER commands containing SQL injection payloads, specifically INSERT INTO statements and PostgreSQL dollar-quoting ($$) targeting mod_sql logging expansion %U. ↗
- →Flag FTP sessions where a USER command is followed by a PASS command and the server subsequently returns a 230 response for a username that was injected via SQL — indicating successful backdoor account creation and login.
- →Use Shodan query '220 ProFTPD' to identify exposed ProFTPD instances potentially vulnerable to this pre-authentication RCE.
- →The vulnerability is rooted in a logic error in is_escaped_text() within mod_sql; monitor for SQL injection patterns in FTP USER request logs, especially payloads using COPY TO PROGRAM or INSERT INTO with shell paths like /bin/bash. ↗
- →The exploit is pre-authentication (no credentials required); any FTP USER command with embedded SQL syntax on ports 21 or 2121 targeting ProFTPD should be treated as a high-priority alert.
- ·Exploitation requires the SQL backend to support command execution (e.g., PostgreSQL's COPY TO PROGRAM); backends without this capability are not exploitable via this specific RCE vector. ↗
- ·Exploitation also requires that ProFTPD is configured to log USER requests with an expansion such as %U in the SQLLog or equivalent directive; default configurations without this logging expansion may not be vulnerable. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q25r-7mmc-3mcj: mod_sql in ProFTPD before 1
ghsa_unreviewed·2026-04-29
CVE-2026-42167 [HIGH] CWE-89 GHSA-q25r-7mmc-3mcj: mod_sql in ProFTPD before 1
mod_sql in ProFTPD before 1.3.10rc1 allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM).
VulnCheck
proftpd proftpd Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2026·CVSS 8.1
CVE-2026-42167 [HIGH] proftpd proftpd Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
proftpd proftpd Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
mod_sql in ProFTPD before 1.3.9a allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM).
Affected: proftpd proftpd
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2026-42167&date=2026-06-01
Exploit PoC: https://vulncheck.com/xdb/088e591804e7; https://vulncheck.com/xdb/b5971aada134; https://vulncheck.com/xdb/038b250f6d4d; https://vulncheck.com/
No detection rules found.
Nuclei
ProFTPD mod_sql - Preauth User Backdoor
nuclei·CVSS 8.1
CVE-2026-42167 [HIGH] ProFTPD mod_sql - Preauth User Backdoor
ProFTPD mod_sql - Preauth User Backdoor
ProFTPD mod_sql before 1.3.10rc1 contains a remote code execution caused by unsafe username handling with SQL backend commands in USER request logging expansions, letting remote attackers execute arbitrary code, exploit requires SQL backend allowing commands.
Template:
id: CVE-2026-42167
info:
name: ProFTPD mod_sql - Preauth User Backdoor
author: pussycat0x
severity: high
description: |
ProFTPD mod_sql before 1.3.10rc1 contains a remote code execution caused by unsafe username handling with SQL backend commands in USER request logging expansions, letting remote attackers execute arbitrary code, exploit requires SQL backend allowing commands.
remediation: |
Upgrade to version 1.3.10rc1 or later.
impact: |
Remote attackers can execute arbitrary cod
Bugzilla
CVE-2026-42167 proftpd: SQL injection due to logic error in is_escaped_text() [fedora-all]
bugzilla·2026-05-04·CVSS 8.1
CVE-2026-42167 [HIGH] CVE-2026-42167 proftpd: SQL injection due to logic error in is_escaped_text() [fedora-all]
CVE-2026-42167 proftpd: SQL injection due to logic error in is_escaped_text() [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42167 proftpd: SQL injection due to logic error in is_escaped_text() [epel-all]
bugzilla·2026-05-04·CVSS 8.1
CVE-2026-42167 [HIGH] CVE-2026-42167 proftpd: SQL injection due to logic error in is_escaped_text() [epel-all]
CVE-2026-42167 proftpd: SQL injection due to logic error in is_escaped_text() [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42167 ProFTPD: mod_sql: SQL injection due to logic error in is_escaped_text()
bugzilla·2026-04-28·CVSS 8.1
CVE-2026-42167 [HIGH] CVE-2026-42167 ProFTPD: mod_sql: SQL injection due to logic error in is_escaped_text()
CVE-2026-42167 ProFTPD: mod_sql: SQL injection due to logic error in is_escaped_text()
mod_sql in ProFTPD before 1.3.10rc1 allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM).
Hackernews
⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & More
blogs_hackernews·2026-05-04·CVSS 9.3
CVE-2026-41940 [CRITICAL] ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & More
This week, the shadows moved faster than the patches.
While most teams were still triaging last month’s alerts, attackers had already turned control panels into kill switches, kernels into open doors, and open-source pipelines into silent delivery systems.
The game has shifted from breach to occupation. They’re living inside SaaS sessions, pushing code with trusted commits, and scaling operations like legitimate businesses — except their product is chaos. And the underground is getting uncomfortably professional.
Here’s the full week
http://www.proftpd.org/docs/RELEASE_NOTES-1.3.10rc1https://github.com/ZeroPathAI/proftpd-CVE-2026-42167-pochttps://github.com/proftpd/proftpd/issues/2052https://www.openwall.com/lists/oss-security/2026/05/01/4https://zeropath.com/blog/proftpd-cve-2026-42167-auth-bypass-privesc-rcehttp://www.openwall.com/lists/oss-security/2026/05/01/13http://www.openwall.com/lists/oss-security/2026/05/01/4https://github.com/ZeroPathAI/proftpd-CVE-2026-42167-poc
2026-04-28
Published
Exploited in the wild