ProFTPD Authentication Bypass & Remote Code Execution (CVE-2026-42167)
Overview
ProFTPD Authentication Bypass & Remote Code Execution, tracked as CVE-2026-42167, affects ProFTPD deployments that use the mod_sql module. The issue can turn FTP username handling and SQL-backed logging into an authentication bypass and remote code execution risk in exposed configurations.
Vulnerability Overview
CVE-2026-42167 is an SQL injection vulnerability in ProFTPD mod_sql. The flaw is tied to how SQL escaping is applied to user-controlled input, especially when username values are later reused by SQL logging or backend queries.
In vulnerable configurations, crafted FTP authentication input can bypass expected SQL protections. If the SQL backend supports command execution features, the same weakness can become a remote code execution path rather than only an authentication or data-access issue.
Impact
The vulnerability is rated High with a CVSS 3.1 score of 8.1. Successful exploitation can allow a remote unauthenticated attacker to compromise confidentiality, integrity, and availability of the affected service and underlying host.
The practical impact depends heavily on how ProFTPD is configured, which SQL backend is used, and whether SQL logging expands attacker-controlled username data.
Vulnerability Scope
The CVE record identifies ProFTPD mod_sql before 1.3.9a as affected. Systems are most exposed when FTP is reachable from untrusted networks, SQL-backed authentication or logging is enabled, and username data is interpolated into SQL activity.
Administrators should validate the installed ProFTPD package version and review distribution-specific advisories, because downstream vendors may backport the fix without changing the upstream version string.
Lab Focus
This Hackviser lab focuses on understanding how SQL injection in an authentication-adjacent service component can escalate into full remote code execution. You will practice recognizing risky FTP and SQL integration patterns, interpreting CVE scope, and mapping vulnerable service behavior to remediation priorities.