CVE-2026-42167: ProFTPD mod_sql RCE Via Log Expansion

/HIGH /CVSS 8.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-89
CVE-2026-42167: ProFTPD mod_sql RCE Via Log Expansion

The National Vulnerability Database has detailed CVE-2026-42167, a critical remote code execution (RCE) vulnerability in ProFTPD’s mod_sql module. This flaw impacts ProFTPD versions prior to 1.3.10rc1. The vulnerability hinges on a specific configuration where logging of USER requests includes expansions like %U, and the SQL backend permits COPY TO PROGRAM commands. This isn’t some theoretical bypass; it’s a direct path to arbitrary code execution if those conditions align.

Attackers can exploit this by crafting malicious usernames. When these usernames are logged and processed by an SQL backend configured to allow command execution, the attacker’s code runs. The CVSS score of 8.1 (High) reflects the severity: network-exploitable with high impact on confidentiality, integrity, and availability, requiring low attack complexity and no user interaction. This is a configuration-dependent RCE that demands immediate attention.

This isn’t just about patching. It’s about understanding the nuances of your logging configurations and SQL backend capabilities. If you’re running ProFTPD, especially in environments where mod_sql is active and logging is verbose, you’ve got a potential blind spot. Attackers are always looking for these kinds of chained misconfigurations. The risk here is direct system compromise without needing to bypass complex authentication mechanisms.

What This Means For You

  • If your organization uses ProFTPD, especially with the `mod_sql` module, you need to immediately check your version. Patch to ProFTPD 1.3.10rc1 or newer. Crucially, audit your `mod_sql` logging configurations: disable expansions like `%U` in `USER` request logging and ensure your SQL backend does not allow `COPY TO PROGRAM` or similar command execution features for the ProFTPD user. This vulnerability is a direct RCE, so assume compromise if you're exposed and haven't patched.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-42167: ProFTPD mod_sql RCE via Log Expansion - User Input

Sigma YAML — free preview 
title: CVE-2026-42167: ProFTPD mod_sql RCE via Log Expansion - User Input
id: scw-2026-04-28-ai-1
status: experimental
level: critical
description: |
  This rule detects the specific pattern of a USER request with a log expansion like '%U' in the URI, which is indicative of the exploit path for CVE-2026-42167 in ProFTPD mod_sql. This allows remote attackers to execute arbitrary code when logging of USER requests with expansions is enabled and the SQL backend allows command execution.
author: SCW Feed Engine (AI-generated)
date: 2026-04-28
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42167/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/%U'
      cs-method|exact:
          - 'USER'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42167 RCE ProFTPD mod_sql
CVE-2026-42167 RCE ProFTPD before 1.3.10rc1
CVE-2026-42167 RCE Vulnerable to arbitrary code execution via username in USER requests with %U expansion and SQL backend allowing commands (e.g., COPY TO PROGRAM)

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 29, 2026 at 02:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7319: Path Traversal in elinsky execution-system-mcp Poses Remote Risk

CVE-2026-7319 — A flaw has been found in elinsky execution-system-mcp 0.1.0. The impacted element is the function _get_context_file_path of the file src/execution_system_mcp/server.py of the component...

vulnerabilityCVEhigh-severitypath-traversalcwe-22
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-7318 — Elie Mcp-Project Path Traversal

CVE-2026-7318 — A vulnerability was detected in elie mcp-project 0.1.0. The affected element is the function search_papers of the file research_server.py. The manipulation of the...

vulnerabilityCVEmedium-severitypath-traversalcwe-22
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-7317 — Grav CMS Insecure Deserialization

CVE-2026-7317 — A vulnerability was found in Grav CMS up to 1.7.49.5/2.0.0-beta.1. Affected by this vulnerability is the function FileCache::doGet of the file system/src/Grav/Framework/Cache/Adapter/FileCache.php of...

vulnerabilityCVEmedium-severityinsecure-deserializationcwe-20cwe-502
/SCW Vulnerability Desk /MEDIUM /5 /⚑ 3 IOCs /⚙ 2 Sigma