PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42167 ProFTPD CVE debrief

CVE-2026-42167 is a remote code execution vulnerability in ProFTPD's mod_sql module. The vulnerability allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands. The affected product is ProFTPD versions before 1.3.9a. The vulnerability has a high severity and requires immediate attention from administrators and users.

Vendor
ProFTPD
Product
Unknown
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-28
Original CVE updated
2026-07-08
Advisory published
2026-04-28
Advisory updated
2026-07-08

Who should care

Administrators and users of ProFTPD versions before 1.3.9a should be aware of this vulnerability and take necessary actions to mitigate the risk. This includes updating ProFTPD to version 1.3.9a or later, restricting access to the mod_sql module, monitoring logs for suspicious activity, and implementing additional security measures such as Web Application Firewalls.

Technical summary

The vulnerability exists in the mod_sql module of ProFTPD before version 1.3.9a. It allows remote attackers to execute arbitrary code by providing a specially crafted username that is logged with an expansion like %U. The SQL backend must also allow commands, such as COPY TO PROGRAM, for the exploit to work. The vulnerability has a CVSS score of 8.1 and is classified as HIGH severity. Affected product deployments should be confirmed in managed environments, and owners should be assigned for follow-up. Official advisories or CVE records should be reviewed to validate affected scope, severity, and vendor guidance. Vendor-supported updates or mitigations should be planned through normal change control where exposure is confirmed. Compensating controls for exposed systems should be reviewed while remediation is scheduled and verified. Relevant monitoring, detection, and logs for exposed assets should be checked, requiring extra review. Exceptions should be tracked, remediated assets retested, and items closed only after evidence is documented.

Defensive priority

High

Recommended defensive actions

  • Update ProFTPD to version 1.3.9a or later
  • Restrict access to the mod_sql module
  • Monitor logs for suspicious activity
  • Implement additional security measures such as Web Application Firewalls
  • Conduct regular vulnerability assessments and penetration testing
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-04-28T23:16:20.610Z and was last modified on 2026-07-08T03:26:55.713Z. The NVD entry is currently Analyzed. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The SQL backend must allow commands, such as COPY TO PROGRAM, for the exploit to work. Evidence is limited, and further verification is required.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-28T23:16:20.610Z and has not been modified since then. The NVD entry is currently Analyzed.