PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-35025 ProFTPD Project CVE debrief

CVE-2026-35025 is a high-severity vulnerability in ProFTPD, a popular FTP server software. The vulnerability allows authenticated FTP users to bypass directory access control lists (ACLs) by prefixing paths with /proc/self/root in the RNFR command handler. This enables attackers to perform rename operations on files in DenyAll-protected directories and subsequently retrieve those files. The vulnerability has a CVSS score of 8.6 and is considered high severity. Sessions configured with DefaultRoot (chroot) are not affected, as chroot changes the directory to which /proc/self/root resolves.

Vendor
ProFTPD Project
Product
ProFTPD
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-24
Original CVE updated
2026-07-02
Advisory published
2026-06-24
Advisory updated
2026-07-02

Who should care

System administrators and security teams responsible for FTP servers using ProFTPD versions through 1.3.9b and 1.3.10rc2 should prioritize patching this vulnerability. Attackers can exploit this vulnerability to access sensitive files and data, potentially leading to data breaches or other security incidents.

Technical summary

The vulnerability is caused by the way ProFTPD handles the RNFR command handler and the dir_canonical_path() function. When an attacker prefixes a path with /proc/self/root, the dir_check() function performs lexical path comparisons that match no configured Directory block. This allows attackers to bypass ACL restrictions and perform rename operations on files in protected directories. The vulnerability can be mitigated by updating to a patched version of ProFTPD or by using sessions configured with DefaultRoot (chroot).

Defensive priority

High priority should be given to patching this vulnerability, as it allows attackers to bypass ACLs and access sensitive files. System administrators should update ProFTPD to a patched version as soon as possible.

Recommended defensive actions

  • Update ProFTPD to a patched version (1.3.10 or later) to prevent exploitation.
  • Use sessions configured with DefaultRoot (chroot) to prevent exploitation.
  • Monitor FTP server logs for suspicious activity.
  • Implement additional security controls, such as IP blocking or rate limiting, to detect and prevent potential attacks.
  • Perform a thorough inventory of FTP servers using ProFTPD and prioritize patching based on risk and exposure.

Evidence notes

The CVE-2026-35025 vulnerability was publicly disclosed on June 24, 2026, and has since been modified on July 2, 2026. The vulnerability affects ProFTPD versions through 1.3.9b and 1.3.10rc2. The CVSS score for this vulnerability is 8.6, indicating high severity. There is no evidence of ransomware or other malicious activity associated with this vulnerability.

Official resources

This article is AI-assisted and based on the supplied source corpus.