Cyber Resilience

CVE-2010-20103

CriticalPublic PoC

Published: 20 August 2025

Published
20 August 2025
Modified
24 September 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.8508 99.4th percentile
Risk Priority 70 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2010-20103 is a critical-severity Hidden Functionality (CWE-912) vulnerability in Proftpd Proftpd. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-19 (Component Authenticity) and SR-11 (Component Authenticity).

Deeper analysis

CVE-2010-20103 involves a malicious backdoor embedded in the official ProFTPD 1.3.3c source tarball, distributed between November 28 and December 2, 2010. The backdoor implements a hidden FTP command trigger that, when invoked, causes the ProFTPD server to execute arbitrary shell commands with root privileges. Systems affected are those where ProFTPD 1.3.3c was compiled and deployed from this compromised tarball, enabling remote code execution on the FTP server host.

Remote, unauthenticated attackers can exploit the vulnerability over the network by sending the specific trigger command via FTP, achieving full root-level command execution on the target system. This grants complete control, including data exfiltration, persistence, or further compromise, with no user interaction or privileges required. The vulnerability carries a CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-912 (Improper Control of a Generator Resource).

Advisories and related resources, including those from ProFTPD.org (http://www.proftpd.org/), Check Point (https://advisories.checkpoint.com/defense/advisories/public/2011/cpai-2010-151.html/), the ProFTPD GitHub (https://github.com/proftpd/proftpd), a Metasploit exploit module (https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/ftp/proftpd_133c_backdoor.rb), and an archived rsync distribution site (https://web.archive.org/web/20111107212129/http://rsync.proftpd.org/), document the supply chain compromise and provide context for verification and avoidance of the tainted release.

EU & UK References

Vulnerability details

A malicious backdoor was embedded in the official ProFTPD 1.3.3c source tarball distributed between November 28 and December 2, 2010. The backdoor implements a hidden FTP command trigger that, when invoked, causes the server to execute arbitrary shell commands with…

more

root privileges. This allows remote, unauthenticated attackers to run any OS command on the FTP server host.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Direct RCE via trigger on public-facing FTP server (T1190) enabling root Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1952Shared CWE-912
CVE-2026-41446Shared CWE-912
CVE-2024-39754Shared CWE-912
CVE-2026-33280Shared CWE-912
CVE-2025-48418Shared CWE-912
CVE-2026-3587Shared CWE-912
CVE-2025-0626Shared CWE-912
CVE-2024-13062Shared CWE-912
CVE-2025-0675Shared CWE-912
CVE-2026-30704Shared CWE-912

Affected Assets

proftpd
proftpd
1.3.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Verifies the authenticity of the ProFTPD source tarball prior to compilation and deployment, directly preventing use of the compromised version containing the backdoor.

prevent

Establishes and maintains provenance for the source tarball to confirm it originates from trusted distribution channels, mitigating supply chain compromise risks.

prevent

Requires suppliers to provide evidence of component authenticity, ensuring the ProFTPD tarball is validated against official sources before acquisition and use.

References