Critical ProFTPD SQL Injection Vulnerability Allows Remote Code Execution
Key Takeaways A critical SQL injection flaw, CVE-2026-42167, has been discovered in ProFTPD’s mod_sql module. This vulnerability affects one of the internet’s most widely used FTP...
Key Takeaways
- A critical SQL injection flaw, CVE-2026-42167, has been discovered in ProFTPD’s
mod_sqlmodule. - This vulnerability affects one of the internet’s most widely used FTP servers, particularly those configured for database authentication or logging.
- Attackers can exploit the flaw for authentication bypass, privilege escalation, or remote code execution (RCE), depending on server configuration.
- A patch is available in ProFTPD version 1.3.9a and later; immediate upgrade is strongly recommended.
A significant SQL injection vulnerability has been uncovered in ProFTPD, a widely deployed FTP server. Identified as CVE-2026-42167, this flaw carries a CVSS severity score of 8.1 and specifically targets the server’s mod_sql extension.
Table Of Content
Depending on the specific server configuration, this critical bug could allow malicious actors to circumvent authentication mechanisms, escalate their privileges, or even achieve remote code execution (RCE) on affected systems.
The mod_sql module within ProFTPD is designed to facilitate user authentication against a database or to log server activities, offering a flexible alternative to traditional user management.
System administrators frequently employ the SQLNamedQuery directive for logging purposes, often integrating dynamic variables like %U to automatically insert the requested username into log entries.
The root cause of this vulnerability lies in a logical error within the is_escaped_text() function, which is responsible for processing these logging variables.
The flaw manifests when an attacker supplies input that begins and ends with a single quote but contains no internal quotes. In this specific scenario, the system incorrectly interprets the input as already secure, bypassing crucial sanitization routines.
ProFTPD’s SQL Injection Vulnerability
This erroneous assumption allows an attacker to craft a specially designed username that effectively bypasses standard input sanitization. The crafted input then tricks the underlying database into executing unauthorized SQL commands.
The widespread adoption of ProFTPD across various modern Linux distributions and web hosting platforms means that the potential attack surface for this vulnerability is substantial.
Many web hosting administration panels rely on this database-backed architecture to efficiently manage thousands of FTP users without the overhead of creating individual local Linux accounts for each.
The precise impact of exploiting this vulnerability can vary significantly, contingent upon the specific logging and database configurations of the affected server.
- Authentication Bypass: If the server is configured to log pre-authentication commands, attackers can leverage SQL injection to insert a backdoor user directly into the database with full system privileges.
- Remote Code Execution: In scenarios where ProFTPD connects to a PostgreSQL database with superuser privileges, attackers can combine the SQL injection with PostgreSQL’s
COPY TO PROGRAMfeature to execute arbitrary code directly on the host server. - Data Theft: Attackers can employ blind SQL injection techniques to progressively extract sensitive information from the database, potentially including plaintext passwords or their hashes.
According to ZeroPath Research, security teams and system administrators must take immediate action to safeguard their infrastructure from potential exploitation.
What You Should Do
- Apply Security Patches: Immediately upgrade all ProFTPD installations to version 1.3.9a or a newer release to incorporate the necessary security fixes.
- Disable SQL Logging: If an immediate upgrade is not feasible, administrators should disable logging via the
mod_sqlmodule. This action removes the specific attack vector, mitigating the vulnerability. - Monitor Systems: Security teams should actively monitor their FTP logs and database activity for any anomalous behavior, such as the creation of unexpected user accounts or unusual SQL queries.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.