CVE-2012-10030
Published: 05 August 2025
Summary
CVE-2012-10030 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Freefloat Freefloat Ftp Server. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved access authorizations, preventing unauthenticated arbitrary file uploads to sensitive directories like system32 and wbem\mof.
IA-8 requires identification and authentication for non-organizational users, blocking the server's acceptance of empty credentials.
AC-6 applies least privilege, countering the default grant of C:\ root access and unrestricted destination paths to unauthenticated users.
NVD Description
FreeFloat FTP Server contains multiple critical design flaws that allow unauthenticated remote attackers to upload arbitrary files to sensitive system directories. The server accepts empty credentials, defaults user access to the root of the C:\ drive, and imposes no restrictions…
more
on file type or destination path. These conditions enable attackers to upload executable payloads and .mof files to locations such as system32 and wbem\mof, where Windows Management Instrumentation (WMI) automatically processes and executes them. This results in remote code execution with SYSTEM-level privileges, without requiring user interaction.
Deeper analysisAI
CVE-2012-10030 is a critical vulnerability in FreeFloat FTP Server, stemming from multiple design flaws that enable unauthenticated remote attackers to upload arbitrary files to sensitive system directories. The server accepts empty credentials, grants default user access to the root of the C:\ drive, and enforces no restrictions on file types or destination paths. These issues, classified under CWE-306 (Missing Authentication for Critical Function), CWE-434 (Unrestricted Upload of File with Dangerous Type), and CWE-732 (Incorrect Permission Assignment for Critical Resource), allow uploads directly to privileged locations such as system32 and wbem\mof.
Unauthenticated attackers with network access to the FTP server can exploit this vulnerability to achieve remote code execution with SYSTEM-level privileges, requiring no user interaction. By uploading executable payloads or .mof files to WMI-monitored directories like wbem\mof, attackers leverage Windows Management Instrumentation's automatic processing for execution. The vulnerability's CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects its high severity due to low complexity and full system compromise potential.
Advisories from sources like Vulncheck and FortiGuard describe the arbitrary file upload as the core issue, with public exploit code available on Exploit-DB (exploit 23226) and a dedicated Metasploit module (freefloatftp_wbem). The Tucows archive confirms FreeFloat FTP Server's legacy status, and no patches or vendor mitigations are referenced in the available information.
Public exploitation tools, including the Metasploit module and Exploit-DB entry, indicate real-world attack feasibility against unpatched installations of this outdated Windows FTP server. The CVE was published on 2025-08-05 despite its 2012 identifier.
Details
- CWE(s)