CVE-2026-42167: Chaining SQL Injection to RCE in ProFTPD via mod_sql

A critical security vulnerability has been unearthed in ProFTPD, revealing a sophisticated exploit chain that transforms a standard SQL injection into a high-impact breach. This flaw is particularly alarming because it doesn’t just stop at data theft; under specific configurations, it allows attackers to bypass authentication, escalate privileges, and achieve full Remote Code Execution (RCE).

Tracked as CVE-2026-42167, the vulnerability was identified by the researchers at ZeroPath Research within the ProFTPD mod_sql extension. With a CVSS v3 score of 8.1, this is classified as a high-severity threat, particularly for internet-facing FTP instances that rely on SQL-backed databases for user authentication or transaction logging.

Bypassing auth to inject a backdoor user with full disk access
Attack Vector Illustration: Bypassing authentication to inject a backdoor user with full disk access (Source: ZeroPath)

The Technical Root Cause: Improper Sanitization in mod_sql

The vulnerability stems from a logic error in how mod_sql processes data intended for SQL queries. In essence, the module incorrectly assumes that certain inputs have already been properly escaped and sanitized before they are concatenated into a query string.

Security researchers found that attacker-controlled strings—such as a username provided during a USER command—can be passed into logging expressions (e.g., using the %U token). Because the module fails to re-validate these inputs, a specially crafted payload can “break out” of the intended SQL syntax. This allows an adversary to terminate the legitimate query and append malicious SQL commands of their choosing.

Exploitation Paths: From Authentication Bypass to RCE

The actual “blast radius” of this exploit depends heavily on the server’s configuration, creating several distinct risk tiers:

  • Pre-Authentication Exploitation: If mod_sql is configured to log pre-authentication commands (like the initial USER request), an attacker can trigger the injection without ever providing valid credentials. This opens the door to remote exploitation from the open internet.
  • Privilege Escalation & Backdoor Injection: Even in environments where a valid session is required, the injected SQL can be used to manipulate the backend database. An attacker could grant themselves administrative rights, modify existing user permissions, or inject entirely new “backdoor” accounts to maintain persistent access.
  • Remote Code Execution (The Worst-Case Scenario): The most catastrophic outcome occurs when ProFTPD is integrated with a PostgreSQL backend running with elevated system privileges. In these setups, an attacker can leverage advanced database features (such as extensions that allow command execution via SQL) to break out of the database layer and execute arbitrary commands directly on the underlying operating system.

Remediation and Defense Strategies

According to ZeroPath’s technical analysis, this vulnerability affects ProFTPD versions up to 1.3.9. The vendor has officially addressed the flaw in ProFTPD 1.3.9a, released on April 27, 2026.

Immediate Action Plan for Administrators:

  1. Patch Immediately: Upgrade to ProFTPD 1.3.9a or later. Note that official CVE records suggest all builds prior to 1.3.10rc1 should be treated as vulnerable.
  2. Audit Configuration: Review your mod_sql settings. Specifically, inspect the SQLNamedQuery and SQLLog directives to ensure that attacker-controlled fields (like usernames) are not being passed raw into SQL statements.
  3. Mitigation (If patching is delayed): If an immediate upgrade is not possible, the most effective temporary workaround is to disable mod_sql-based logging entirely.
  4. Enhanced Monitoring: Closely monitor database logs for unusual patterns and audit all authentication attempts for suspicious characters or unexpected SQL syntax in the username fields.

Related Articles

Back to top button