blueredix logo
SCAN On-demand vulnerability scans from €149
info service-ftp-cve

Vulnerabilities in FTP servers (vsftpd, ProFTPD, Pure-FTPd)

FTP is an old protocol with old problems: cleartext credentials, anonymous access enabled by default in legacy installs, and a long CVE history. The better question is whether you should be running FTP at all.

Why FTP findings deserve a hard look

FTP predates secure-by-default thinking. The base protocol sends credentials and file contents in cleartext, and the daemons that implement it have a long history of CVEs — vsftpd’s “smiley face” backdoor (CVE-2011-2523), ProFTPD’s mod_copy code execution (CVE-2019-12815), and many memory bugs in older versions of every major implementation.

If the scanner finds an FTP server, it’s usually one of three situations:

  1. Legacy file transfer between business partners. Banks, EDI exchanges, accounting integrations that have been running on FTP since the 90s. Migrating these is political, not technical.
  2. Hosting customer panel. Shared-hosting customers using an FTP client to upload websites. Often FTPS or SFTP rather than plain FTP, but the daemon is still in the family.
  3. Accidental. A development environment that should never have been on the public internet, a leftover from a long-gone use case, a default-enabled service on a NAS or printer.

Cases 2 and 3 are the most common in our scans. The fix for both is usually “stop running FTP”, not “patch FTP”.

What’s structurally wrong with plain FTP

Plain FTP has three problems that no patch addresses:

  • Cleartext credentials and data. Every login and every file transfer crosses the network in the clear. Anyone on the path can read it.
  • Active mode is hostile to firewalls. FTP’s data-channel design predates network address translation; getting it through modern firewalls requires either a wide port range or stateful FTP-aware NAT helpers — which themselves have a CVE history.
  • Anonymous access is a default in some installations. A small business inheriting a NAS shipped with anonymous FTP enabled has effectively published “any file in /home/ftp” to the internet.

The combined risk is independent of any specific CVE.

Migrating off FTP

The plain replacement is SFTP (SSH File Transfer Protocol). One TCP connection, runs on top of OpenSSH, encrypted by default, firewall-friendly, supports public-key authentication. Every modern FTP client (WinSCP, FileZilla, Cyberduck, Transmit) speaks SFTP natively.

For the niche cases:

  • FTP/S (FTP over TLS). Encrypts the protocol but keeps the two-channel design. Useful if a partner organisation absolutely requires FTP semantics.
  • HTTPS file upload. For browser-based file submission flows, drop FTP entirely and use a small file-upload endpoint behind your normal authentication.
  • Object storage (S3, Backblaze B2, Wasabi). For partner data exchange, give the partner a pre-signed URL or an IAM credential. No FTP infrastructure to maintain.

For business partners that won’t migrate, keep FTP/S running with the narrowest possible exposure: single source IP allowlist, dedicated account per partner, file structure restricted to their own directory.

When patching plain FTP is the only option

If migration isn’t possible right now, the priority is the same as for other services:

  1. Take it off the public internet. Bind to a private interface or restrict the source IP. Most FTP CVEs are pre-authentication bugs that need network reachability.
  2. Patch in the same week. vsftpd, ProFTPD, and Pure-FTPd all ship security releases promptly. Ubuntu/Debian packages of these update via the regular security stream.
  3. Disable anonymous accessanonymous_enable=NO in vsftpd, <Anonymous> blocks removed from ProFTPD config, the -E flag for Pure-FTPd.
  4. Use chroot directives (chroot_local_user=YES) to constrain users to their home directories. Not perfect on older versions, but cuts a lot of surface.

How blueredix surfaces FTP findings

The scanner detects vsftpd, ProFTPD, Pure-FTPd, and similar from their banner strings and applies the same database lookup and filtering as for other services.

For each FTP-server finding the report shows:

  • The detected version.
  • Whether anonymous access appears to be enabled (we attempt an anonymous banner-grab).
  • The applicable CVEs after the false-positive filter.

The “is FTP exposed at all” finding usually outweighs the specific CVEs in priority. If you’re surprised to see an FTP server in your scan, the first action is to confirm whether you intend to be running it; the second is to take it off the public internet if you don’t.

Further reading