Cyber Resilience

CVE-2021-47865

HighPublic PoCDDoS

Published: 21 January 2026

Published
21 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0054 41.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2021-47865 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Proftpd (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 41.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-10 (Concurrent Session Control) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2021-47865 is a denial of service vulnerability affecting ProFTPD version 1.3.7a. The flaw enables attackers to overwhelm the server by creating multiple simultaneous FTP connections, leveraging threading to exhaust server connection limits and block legitimate user access. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-770 (Allocation of Resources Without Limits or Throttling).

The vulnerability can be exploited by any remote attacker requiring no privileges, authentication, or user interaction, with low attack complexity over the network. Successful exploitation results in resource exhaustion, rendering the FTP server unavailable to legitimate users by maxing out connection slots.

Advisories and related resources include the Vulncheck advisory at https://www.vulncheck.com/advisories/proftpd-a-remote-denial-of-service, a ProFTPD GitHub issue at https://github.com/proftpd/proftpd/issues/1298, and the official ProFTPD site at http://www.proftpd.org/. A proof-of-concept exploit is publicly available at https://www.exploit-db.com/exploits/49697.

EU & UK References

Vulnerability details

ProFTPD 1.3.7a contains a denial of service vulnerability that allows attackers to overwhelm the server by creating multiple simultaneous FTP connections. Attackers can repeatedly establish connections using threading to exhaust server connection limits and block legitimate user access.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Why these techniques?

Directly enables application exhaustion via connection flooding against public-facing FTP service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35401Shared CWE-770
CVE-2025-68151Shared CWE-770
CVE-2026-1662Shared CWE-770
CVE-2026-29609Shared CWE-770
CVE-2026-40104Shared CWE-770
CVE-2026-35526Shared CWE-770
CVE-2026-28478Shared CWE-770
CVE-2025-27419Shared CWE-770
CVE-2026-35562Shared CWE-770
CVE-2026-33594Shared CWE-770

Affected Assets

Proftpd
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly protects against denial-of-service attacks like CVE-2021-47865 by implementing mechanisms to limit or block excessive simultaneous FTP connections that exhaust server resources.

prevent

Limits concurrent sessions to prevent attackers from overwhelming ProFTPD connection slots through multiple threaded FTP connections.

prevent

Ensures resource availability by employing throttling or dedicated allocation mechanisms to mitigate exhaustion of FTP server connection limits.

References