PatchSiren cyber security CVE debrief
CVE-2026-35025 ProFTPD Project CVE debrief
CVE-2026-35025 is a high-severity vulnerability in ProFTPD, a popular FTP server software. The vulnerability allows authenticated FTP users to bypass directory access control lists (ACLs) by prefixing paths with /proc/self/root in the RNFR command handler. This enables attackers to perform rename operations on files in DenyAll-protected directories and subsequently retrieve those files. The vulnerability has a CVSS score of 8.6 and is considered high severity. Sessions configured with DefaultRoot (chroot) are not affected, as chroot changes the directory to which /proc/self/root resolves.
- Vendor
- ProFTPD Project
- Product
- ProFTPD
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-24
- Original CVE updated
- 2026-07-02
- Advisory published
- 2026-06-24
- Advisory updated
- 2026-07-02
Who should care
System administrators and security teams responsible for FTP servers using ProFTPD versions through 1.3.9b and 1.3.10rc2 should prioritize patching this vulnerability. Attackers can exploit this vulnerability to access sensitive files and data, potentially leading to data breaches or other security incidents.
Technical summary
The vulnerability is caused by the way ProFTPD handles the RNFR command handler and the dir_canonical_path() function. When an attacker prefixes a path with /proc/self/root, the dir_check() function performs lexical path comparisons that match no configured Directory block. This allows attackers to bypass ACL restrictions and perform rename operations on files in protected directories. The vulnerability can be mitigated by updating to a patched version of ProFTPD or by using sessions configured with DefaultRoot (chroot).
Defensive priority
High priority should be given to patching this vulnerability, as it allows attackers to bypass ACLs and access sensitive files. System administrators should update ProFTPD to a patched version as soon as possible.
Recommended defensive actions
- Update ProFTPD to a patched version (1.3.10 or later) to prevent exploitation.
- Use sessions configured with DefaultRoot (chroot) to prevent exploitation.
- Monitor FTP server logs for suspicious activity.
- Implement additional security controls, such as IP blocking or rate limiting, to detect and prevent potential attacks.
- Perform a thorough inventory of FTP servers using ProFTPD and prioritize patching based on risk and exposure.
Evidence notes
The CVE-2026-35025 vulnerability was publicly disclosed on June 24, 2026, and has since been modified on July 2, 2026. The vulnerability affects ProFTPD versions through 1.3.9b and 1.3.10rc2. The CVSS score for this vulnerability is 8.6, indicating high severity. There is no evidence of ransomware or other malicious activity associated with this vulnerability.
Official resources
-
CVE-2026-35025 CVE record
CVE.org
-
CVE-2026-35025 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Mitigation
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
This article is AI-assisted and based on the supplied source corpus.