Valtteri Vuorikoski

**Name of the Vulnerable Software and Affected Versions** ProFTPD versions prior to 1.3.10rc1 **Description** A flaw in the `mod sql` module allows unauthenticated remote attackers to bypass authentication and execute arbitrary code. The issue stems from a lack of protection for SQL query structures, specifically when logging `USER` requests using expansions such as `%U`. If the SQL backend supports command execution (for example, `COPY TO PROGRAM`), an attacker can use a crafted `username` to break SQL strings and execute OS-level commands. Over 162,000 internet-facing instances are estimated to be at risk. **Recommendations** Update to version 1.3.10rc1.