Cyber Resilience

CVE-2012-10030

CriticalPublic PoC

Published: 05 August 2025

Published
05 August 2025
Modified
03 September 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.7256 98.8th percentile
Risk Priority 62 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2012-10030 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Freefloat Freefloat Ftp Server. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2012-10030 is a critical vulnerability in FreeFloat FTP Server, stemming from multiple design flaws that enable unauthenticated remote attackers to upload arbitrary files to sensitive system directories. The server accepts empty credentials, grants default user access to the root of the C:\ drive, and enforces no restrictions on file types or destination paths. These issues, classified under CWE-306 (Missing Authentication for Critical Function), CWE-434 (Unrestricted Upload of File with Dangerous Type), and CWE-732 (Incorrect Permission Assignment for Critical Resource), allow uploads directly to privileged locations such as system32 and wbem\mof.

Unauthenticated attackers with network access to the FTP server can exploit this vulnerability to achieve remote code execution with SYSTEM-level privileges, requiring no user interaction. By uploading executable payloads or .mof files to WMI-monitored directories like wbem\mof, attackers leverage Windows Management Instrumentation's automatic processing for execution. The vulnerability's CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects its high severity due to low complexity and full system compromise potential.

Advisories from sources like Vulncheck and FortiGuard describe the arbitrary file upload as the core issue, with public exploit code available on Exploit-DB (exploit 23226) and a dedicated Metasploit module (freefloatftp_wbem). The Tucows archive confirms FreeFloat FTP Server's legacy status, and no patches or vendor mitigations are referenced in the available information.

Public exploitation tools, including the Metasploit module and Exploit-DB entry, indicate real-world attack feasibility against unpatched installations of this outdated Windows FTP server. The CVE was published on 2025-08-05 despite its 2012 identifier.

EU & UK References

Vulnerability details

FreeFloat FTP Server contains multiple critical design flaws that allow unauthenticated remote attackers to upload arbitrary files to sensitive system directories. The server accepts empty credentials, defaults user access to the root of the C:\ drive, and imposes no restrictions…

more

on file type or destination path. These conditions enable attackers to upload executable payloads and .mof files to locations such as system32 and wbem\mof, where Windows Management Instrumentation (WMI) automatically processes and executes them. This results in remote code execution with SYSTEM-level privileges, without requiring user interaction.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1047 Windows Management Instrumentation Execution
Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
Why these techniques?

Unauthenticated arbitrary file upload to privileged paths on public-facing FTP server enables initial access via T1190; .mof upload to wbem\mof triggers execution via T1047 WMI; file transfer itself maps to T1105.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2019-25614Same product: Freefloat Freefloat Ftp Server
CVE-2012-10023Same product: Freefloat Freefloat Ftp Server
CVE-2025-8450Shared CWE-306, CWE-434
CVE-2026-2269Shared CWE-434
CVE-2025-25783Shared CWE-434
CVE-2025-27683Shared CWE-434
CVE-2024-8019Shared CWE-434
CVE-2024-41340Shared CWE-434
CVE-2026-5573Shared CWE-434
CVE-2025-7880Shared CWE-434

Affected Assets

freefloat
freefloat ftp server
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved access authorizations, preventing unauthenticated arbitrary file uploads to sensitive directories like system32 and wbem\mof.

prevent

IA-8 requires identification and authentication for non-organizational users, blocking the server's acceptance of empty credentials.

prevent

AC-6 applies least privilege, countering the default grant of C:\ root access and unrestricted destination paths to unauthenticated users.

References