Cyber Resilience

CVE-2023-51713

HighPublic PoC

Published: 22 December 2023

Published
22 December 2023
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.7030 98.7th percentile
Risk Priority 57 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-51713 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Proftpd Proftpd. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

ProFTPD versions prior to 1.3.8a contain a one-byte out-of-bounds read in the make_ftp_cmd function within main.c. The flaw stems from incorrect handling of quote and backslash characters in FTP command processing and is tracked as CWE-125. It produces a daemon crash with no confidentiality or integrity impact, corresponding to a CVSS 3.1 base score of 7.5.

An unauthenticated remote attacker can send a crafted FTP command containing specific quote or backslash sequences to trigger the read. Successful exploitation results only in denial of service through an immediate process termination; no code execution or data exposure has been demonstrated.

The project’s NEWS file and associated GitHub issue confirm that the defect is resolved in release 1.3.8a. Administrators are advised to upgrade ProFTPD instances to that version or later.

The CVE carries an EPSS score that reached a peak of 0.7339, indicating notable exploitation interest after public disclosure.

EU & UK References

Vulnerability details

make_ftp_cmd in main.c in ProFTPD before 1.3.8a has a one-byte out-of-bounds read, and daemon crash, because of mishandling of quote/backslash semantics.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

proftpd
proftpd
≤ 1.3.8a

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References