cbcvebase.
CVE-2026-42167
published 2026-04-28

CVE-2026-42167: mod_sql in ProFTPD before 1.3.9a allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an…

PriorityP181high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
5.00%
91.2th percentile
mod_sql in ProFTPD before 1.3.9a allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM).

Affected

1 ranges
VendorProductVersion rangeFixed in
proftpdproftpd>= 1.3.7b < 1.3.9a1.3.9a

Detection & IOCsextracted from sources · hover to see the quote

commandUSER ', null, null); INSERT INTO users VALUES($${{randstr}}$$, $${{randstr}}$$, 0, 0, $$/$$, $$/bin/bash$$); --'
port2121
other220 ProFTPD
  • Detect exploit attempt by monitoring FTP USER commands containing SQL injection payloads, specifically INSERT INTO statements and PostgreSQL dollar-quoting ($$) targeting mod_sql logging expansion %U.
  • Flag FTP sessions where a USER command is followed by a PASS command and the server subsequently returns a 230 response for a username that was injected via SQL — indicating successful backdoor account creation and login.
  • Use Shodan query '220 ProFTPD' to identify exposed ProFTPD instances potentially vulnerable to this pre-authentication RCE.
  • The vulnerability is rooted in a logic error in is_escaped_text() within mod_sql; monitor for SQL injection patterns in FTP USER request logs, especially payloads using COPY TO PROGRAM or INSERT INTO with shell paths like /bin/bash.
  • The exploit is pre-authentication (no credentials required); any FTP USER command with embedded SQL syntax on ports 21 or 2121 targeting ProFTPD should be treated as a high-priority alert.
  • ·Exploitation requires the SQL backend to support command execution (e.g., PostgreSQL's COPY TO PROGRAM); backends without this capability are not exploitable via this specific RCE vector.
  • ·Exploitation also requires that ProFTPD is configured to log USER requests with an expansion such as %U in the SQLLog or equivalent directive; default configurations without this logging expansion may not be vulnerable.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.