CVE-2010-20103
Published: 20 August 2025
Summary
CVE-2010-20103 is a critical-severity Hidden Functionality (CWE-912) vulnerability in Proftpd Proftpd. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-19 (Component Authenticity) and SR-11 (Component Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Verifies the authenticity of the ProFTPD source tarball prior to compilation and deployment, directly preventing use of the compromised version containing the backdoor.
Establishes and maintains provenance for the source tarball to confirm it originates from trusted distribution channels, mitigating supply chain compromise risks.
Requires suppliers to provide evidence of component authenticity, ensuring the ProFTPD tarball is validated against official sources before acquisition and use.
NVD Description
A malicious backdoor was embedded in the official ProFTPD 1.3.3c source tarball distributed between November 28 and December 2, 2010. The backdoor implements a hidden FTP command trigger that, when invoked, causes the server to execute arbitrary shell commands with…
more
root privileges. This allows remote, unauthenticated attackers to run any OS command on the FTP server host.
Deeper analysisAI
CVE-2010-20103 involves a malicious backdoor embedded in the official ProFTPD 1.3.3c source tarball, distributed between November 28 and December 2, 2010. The backdoor implements a hidden FTP command trigger that, when invoked, causes the ProFTPD server to execute arbitrary shell commands with root privileges. Systems affected are those where ProFTPD 1.3.3c was compiled and deployed from this compromised tarball, enabling remote code execution on the FTP server host.
Remote, unauthenticated attackers can exploit the vulnerability over the network by sending the specific trigger command via FTP, achieving full root-level command execution on the target system. This grants complete control, including data exfiltration, persistence, or further compromise, with no user interaction or privileges required. The vulnerability carries a CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-912 (Improper Control of a Generator Resource).
Advisories and related resources, including those from ProFTPD.org (http://www.proftpd.org/), Check Point (https://advisories.checkpoint.com/defense/advisories/public/2011/cpai-2010-151.html/), the ProFTPD GitHub (https://github.com/proftpd/proftpd), a Metasploit exploit module (https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/ftp/proftpd_133c_backdoor.rb), and an archived rsync distribution site (https://web.archive.org/web/20111107212129/http://rsync.proftpd.org/), document the supply chain compromise and provide context for verification and avoidance of the tainted release.
Details
- CWE(s)