CVE-2013-10042
Published: 31 July 2025
Summary
CVE-2013-10042 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Freeftpd Freeftpd. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2013-10042 is a stack-based buffer overflow vulnerability in freeFTPd version 1.0.10 and earlier, affecting the handling of the FTP PASS command. The application fails to validate the length of the provided password string, allowing a specially crafted input to trigger memory corruption. This issue, mapped to CWE-121 (Stack-based Buffer Overflow), carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity with network accessibility, low complexity, and potential for high impacts across confidentiality, integrity, and availability.
An unauthenticated attacker can exploit this vulnerability remotely if the anonymous user account is enabled on the FTP server. By sending a malicious password string via the PASS command, the attacker can cause a denial of service through application crash or achieve arbitrary code execution by overwriting the stack, granting full system compromise on the targeted Windows host running freeFTPd.
Advisories and references, including a Vulncheck advisory on the PASS command overflow, highlight the issue but do not specify patches, as freeFTPd appears unmaintained. Public proof-of-concept exploits exist, such as a Metasploit module for Windows FTP freeftpd_pass and an Exploit-DB entry (27747), enabling straightforward remote exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-7252
Vulnerability details
A stack-based buffer overflow vulnerability exists in freeFTPd version 1.0.10 and earlier in the handling of the FTP PASS command. When an attacker sends a specially crafted password string, the application fails to validate input length, resulting in memory corruption.…
more
This can lead to denial of service or arbitrary code execution. Exploitation requires the anonymous user account to be enabled.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated stack buffer overflow in public-facing FTP server (PASS command) directly enables T1190 for RCE or DoS on the Windows host.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of all inputs, including password lengths in the FTP PASS command, to directly prevent stack-based buffer overflows from unvalidated data.
Provides memory protection mechanisms like stack canaries, ASLR, and DEP to mitigate exploitation of stack buffer overflows leading to code execution or crashes.
Ensures flaws such as CVE-2013-10042 are remediated through patching, configuration hardening, or software replacement to eliminate the vulnerability.