ProFTPD SQL Injection (CVE-2026-44331) Exposes Servers to Remote Attacks

/HIGH /CVSS 8.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitysql-injectioncwe-89
ProFTPD SQL Injection (CVE-2026-44331) Exposes Servers to Remote Attacks

A critical SQL injection vulnerability, tracked as CVE-2026-44331, has been identified in ProFTPD versions through 1.3.9a. The National Vulnerability Database reports that this flaw resides within the sqltab_fetch_clients_cb() function in contrib/mod_wrap2_sql.c. This vulnerability allows a remote attacker to inject arbitrary SQL commands by manipulating a crafted domain name during a reverse DNS lookup.

The exploitability hinges on the UseReverseDNS on configuration setting. When enabled, the attacker-supplied hostname is passed unescaped into SQL queries. While DNS naming conventions impose some character restrictions, these limitations do not fully mitigate the risk of successful exploitation. The National Vulnerability Database assigns this vulnerability a CVSS score of 8.1 (HIGH), underscoring its significant potential impact.

This is a direct path to sensitive data and potentially full server compromise for organizations running vulnerable ProFTPD instances with UseReverseDNS enabled. Attackers can leverage this to extract credentials, manipulate database entries, or escalate privileges within the affected system. The attacker’s calculus here is simple: find exposed ProFTPD servers, craft malicious DNS entries, and execute commands.

What This Means For You

  • If your organization uses ProFTPD, immediately verify your version and configuration. Specifically, check if `UseReverseDNS on` is enabled. Patching to the commit `7666224` or later is critical. If immediate patching isn't feasible, disabling `mod_wrap2_sql` or the `UseReverseDNS` option should be considered a temporary mitigation to prevent remote SQL injection.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component Initial Access T1189 Drive-by Compromise Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

ProFTPD SQL Injection via Reverse DNS Lookup - CVE-2026-44331

Sigma YAML — free preview 
title: ProFTPD SQL Injection via Reverse DNS Lookup - CVE-2026-44331
id: scw-2026-05-05-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-44331 by observing DNS requests containing SQL injection payloads within the domain name. This occurs when ProFTPD's UseReverseDNS is enabled and an attacker crafts a malicious hostname for a reverse DNS lookup, leading to SQL injection in the sqltab_fetch_clients_cb() function.
author: SCW Feed Engine (AI-generated)
date: 2026-05-05
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44331/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: dns
detection:
  selection:
      dst_domain|contains:
          - "' OR "
          - "' OR 1=1 -- "
          - "' OR 'x'='x' -- "
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44331 SQLi ProFTPD through 1.3.9a before commit 7666224
CVE-2026-44331 SQLi contrib/mod_wrap2_sql.c in sqltab_fetch_clients_cb()
CVE-2026-44331 SQLi Remote SQL injection via crafted domain name during reverse DNS lookup when 'UseReverseDNS on' is enabled

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 05, 2026 at 23:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-41950 — Arbitrary File Access

CVE-2026-41950 — Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other...

vulnerabilityCVEmedium-severityarbitrary-file-accesscwe-639
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 3 Sigma

D-Link DI-8100 Router Vulnerable to Remote Buffer Overflow (CVE-2026-7857)

CVE-2026-7857 — A vulnerability has been found in D-Link DI-8100 16.07.26A1. This vulnerability affects the function sprintf of the file /user_group.asp of the component CGI...

vulnerabilityCVEhigh-severitybuffer-overflowcwe-119cwe-120
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 1 IOC /⚙ 5 Sigma

D-Link DI-8100 Buffer Overflow (CVE-2026-7856) Exposes Web Management

CVE-2026-7856 — A flaw has been found in D-Link DI-8100 16.07.26A1. This affects an unknown part of the file /url_member.asp of the component Web Management...

vulnerabilityCVEhigh-severitybuffer-overflowcwe-119cwe-120
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 4 IOCs /⚙ 1 Sigma