ProFTPD is a cornerstone of the internet’s file transfer infrastructure, powering everything from small web hosts to massive enterprise data mirrors. However, on April 28, 2026, security researchers at ZeroPath revealed a critical vulnerability in the server’s mod_sql extension that could turn these trusted gateways into entry points for attackers.
Tracked as CVE-2026-42167, this SQL injection flaw carries a CVSS score of 8.1. It allows unauthenticated attackers to bypass security controls, inject backdoor users, or—in specific configurations—execute arbitrary code with system-level privileges.
The Technical Flaw: “Safe” Text That Isn’t
The vulnerability resides in the mod_sql module, specifically within the is_escaped_text() function. This function is responsible for sanitizing data before it is inserted into a database (such as MySQL, PostgreSQL, or SQLite).
The Logic Failure
The flaw is deceptively simple:
- The Trigger: When a server logs activity using the
%U(Username) variable, it relies onis_escaped_text()to ensure the input is safe. - The Bypass: If an attacker provides a username that starts and ends with a single quote (e.g.,
'malicious_payload'), but contains no quotes in between, the function incorrectly assumes the text is already “manually” escaped and skips the sanitization process. - The Injection: This allows the attacker to break out of the intended SQL query and append their own commands.
High-Impact Scenarios: From Data Theft to RCE
The danger of CVE-2026-42167 depends heavily on how ProFTPD is configured. ZeroPath researchers have demonstrated three primary attack vectors:
- Authentication Bypass: If the server logs “USER” requests before a password is provided, an attacker can inject a “backdoor” user record directly into the database. They can then log in as this new user with a home directory set to
/(root), granting them full disk access. - Remote Code Execution (RCE): On systems where ProFTPD connects to a PostgreSQL database as a superuser, attackers can leverage the
COPY TO PROGRAMcommand. This allows them to pivot from a SQL injection to executing shell commands on the host OS. - Blind Data Extraction: Even without RCE, attackers can use timing-based blind SQL injection to slowly “leak” the contents of the database, including the plaintext or hashed passwords of other users.
Are You at Risk?
Because ProFTPD is bundled with many popular Linux distributions and web hosting control panels (like cPanel or Plesk), the attack surface is vast. Shodan scans indicate over 162,000 publicly accessible ProFTPD instances, with an estimated 1% to 5% configured in a way that makes them vulnerable to pre-authentication attacks.
Remediation and Mitigation
Security teams should treat this as a high-priority event.
- Update Immediately: ProFTPD has released version 1.3.9a (maintenance) and 1.3.10rc1 (development) to address this flaw. Upgrading is the only definitive fix.
- Disable SQL Logging: If you cannot patch immediately, disable the
mod_sqllogging directives (likeSQLNamedQuery) or remove%Ufrom your logging strings to eliminate the attack vector. - Audit Database Users: Ensure your ProFTPD database user does not have superuser or file-write permissions (especially for PostgreSQL).
- Check for Backdoors: Search your FTP user database for unexpected entries or users with a home directory set to
/.
Conclusion: The Importance of Deep Sanitization
CVE-2026-42167 is a reminder that even mature, decades-old software can harbor fundamental logic flaws. In the modern threat landscape, assuming “quotes mean safety” is a gamble that can cost an organization its entire data integrity.
