FreeFloat FTP Server contains multiple critical design flaws that allow unauthenticated remote attackers to upload arbitrary files to sensitive system directories. The server accepts empty credentials, defaults user access to the root of the C:\ drive, and imposes no restrictions on file type or destination path. These conditions enable attackers to upload executable payloads and .mof files to locations such as system32 and wbem\mof, where Windows Management Instrumentation (WMI) automatically processes and executes them. This results in remote code execution with SYSTEM-level privileges, without requiring user interaction.
History

Wed, 03 Sep 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Freefloat freefloat Ftp Server
CPEs cpe:2.3:a:freefloat:freefloat_ftp_server:1.0:*:*:*:*:*:*:*
Vendors & Products Freefloat freefloat Ftp Server
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Wed, 06 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 06 Aug 2025 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Freefloat
Freefloat ftp Server
Vendors & Products Freefloat
Freefloat ftp Server

Tue, 05 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Description FreeFloat FTP Server contains multiple critical design flaws that allow unauthenticated remote attackers to upload arbitrary files to sensitive system directories. The server accepts empty credentials, defaults user access to the root of the C:\ drive, and imposes no restrictions on file type or destination path. These conditions enable attackers to upload executable payloads and .mof files to locations such as system32 and wbem\mof, where Windows Management Instrumentation (WMI) automatically processes and executes them. This results in remote code execution with SYSTEM-level privileges, without requiring user interaction.
Title FreeFloat FTP Server Arbitrary File Upload
Weaknesses CWE-306
CWE-434
CWE-732
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2025-08-06T17:55:27.025Z

Reserved: 2025-08-05T16:16:53.362Z

Link: CVE-2012-10030

cve-icon Vulnrichment

Updated: 2025-08-06T17:55:23.998Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-05T20:15:34.003

Modified: 2025-09-03T14:58:01.787

Link: CVE-2012-10030

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-06T07:50:29Z