Security readout for executives and security teams
Plain-English summary
A very old flaw in two once-common FTP servers (wu-ftpd and BSDI ftpd) let a remote attacker gain full administrator control by abusing the SITE EXEC command. Because the servers checked and used data in the wrong order, an attacker could slip in between those steps and take over. The bug is decades old, but any legacy system still running these FTP daemons remains at serious risk.
Executive priority
Low priority for modern estates that no longer run these FTP daemons; critical priority if any legacy Unix host still exposes wu-ftpd or BSDI ftpd. Treat as an inventory-and-retirement issue rather than a patch-management issue, since the affected software is end-of-life.
Technical view
CVE-1999-0955 is a race condition in wu-ftpd and BSDI ftpd handling of the SITE EXEC command. A time-of-check/time-of-use window between privilege validation and command execution allows a remote attacker to obtain root privileges on the FTP host. The public record lacks fixed-version data, CVSS, and CWE mappings in the bundle, but the vulnerability is historically categorized as a critical remote root issue in FTP daemons of that era.
Likely exposure
Exposure is limited to legacy or unmaintained systems still running vintage wu-ftpd or BSDI ftpd with SITE EXEC enabled and reachable from untrusted networks. Modern environments should not have these daemons in production, but they may persist on forgotten Unix hosts, appliances, or lab systems.
Exploitation context
Not listed in CISA KEV. The bundle cites only an IBM X-Force reference and no active-exploitation evidence in current threat feeds. Historically, wu-ftpd SITE EXEC issues from this era were widely discussed and targeted, so any exposed legacy instance should be treated as opportunistically exploitable.
Researcher notes
Source bundle is thin: no CVSS, no CWE, no affected version list, and only an IBM X-Force reference. The 2024 update timestamp reflects CVE List housekeeping, not new exploitation data. Analysts should treat the flaw as a classic TOCTOU privilege-escalation pattern in a privileged FTP command handler and prioritize discovery over deep technical triage.
Mitigation direction
- Retire or replace legacy wu-ftpd and BSDI ftpd services with a maintained SFTP or FTPS solution.
- Disable the SITE EXEC feature on any FTP daemon where it is not strictly required.
- Restrict FTP service reachability to trusted management networks via firewall or ACL.
- Consult current vendor or distribution advisories for any residual FTP daemon before continued use.
- Remove anonymous or unnecessary FTP accounts on hosts that must keep the service.
Validation and detection
- Inventory hosts exposing TCP/21 and identify banner strings matching wu-ftpd or BSDI ftpd.
- Confirm whether SITE EXEC is enabled by reviewing daemon configuration files.
- Cross-check discovered FTP daemons against current vendor support and patch status.
- Verify network exposure of FTP services from untrusted zones using external and internal scans.
- Audit FTP server logs for unusual SITE EXEC usage or unexpected root-level activity.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CVE-1999-0955 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Unknown
- CVSS
- Not scored
- Known Exploited
- No
- Published
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS and timeline data
No CVSS vectors or timeline events were available in the normalized CVE source material.
Source materials
- CVE List V5 sourceCVE List V5
- https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0955CVE reference · x_refsource_MISC
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
