CVE-2021-47865
Published: 21 January 2026
Summary
CVE-2021-47865 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Proftpd (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 41.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-10 (Concurrent Session Control) and SC-5 (Denial-of-service Protection).
Deeper analysis
CVE-2021-47865 is a denial of service vulnerability affecting ProFTPD version 1.3.7a. The flaw enables attackers to overwhelm the server by creating multiple simultaneous FTP connections, leveraging threading to exhaust server connection limits and block legitimate user access. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-770 (Allocation of Resources Without Limits or Throttling).
The vulnerability can be exploited by any remote attacker requiring no privileges, authentication, or user interaction, with low attack complexity over the network. Successful exploitation results in resource exhaustion, rendering the FTP server unavailable to legitimate users by maxing out connection slots.
Advisories and related resources include the Vulncheck advisory at https://www.vulncheck.com/advisories/proftpd-a-remote-denial-of-service, a ProFTPD GitHub issue at https://github.com/proftpd/proftpd/issues/1298, and the official ProFTPD site at http://www.proftpd.org/. A proof-of-concept exploit is publicly available at https://www.exploit-db.com/exploits/49697.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3621
Vulnerability details
ProFTPD 1.3.7a contains a denial of service vulnerability that allows attackers to overwhelm the server by creating multiple simultaneous FTP connections. Attackers can repeatedly establish connections using threading to exhaust server connection limits and block legitimate user access.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables application exhaustion via connection flooding against public-facing FTP service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly protects against denial-of-service attacks like CVE-2021-47865 by implementing mechanisms to limit or block excessive simultaneous FTP connections that exhaust server resources.
Limits concurrent sessions to prevent attackers from overwhelming ProFTPD connection slots through multiple threaded FTP connections.
Ensures resource availability by employing throttling or dedicated allocation mechanisms to mitigate exhaustion of FTP server connection limits.