LiveActive security incident?Get immediate response
CVE Record

CVE-1999-0955: Race condition in wu-ftpd and BSDI ftpd allows remote attackers to gain root access via the SITE EXEC command.

Race condition in wu-ftpd and BSDI ftpd allows remote attackers to gain root access via the SITE EXEC command.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

A very old flaw in two once-common FTP servers (wu-ftpd and BSDI ftpd) let a remote attacker gain full administrator control by abusing the SITE EXEC command. Because the servers checked and used data in the wrong order, an attacker could slip in between those steps and take over. The bug is decades old, but any legacy system still running these FTP daemons remains at serious risk.

Executive priority

Low priority for modern estates that no longer run these FTP daemons; critical priority if any legacy Unix host still exposes wu-ftpd or BSDI ftpd. Treat as an inventory-and-retirement issue rather than a patch-management issue, since the affected software is end-of-life.

Technical view

CVE-1999-0955 is a race condition in wu-ftpd and BSDI ftpd handling of the SITE EXEC command. A time-of-check/time-of-use window between privilege validation and command execution allows a remote attacker to obtain root privileges on the FTP host. The public record lacks fixed-version data, CVSS, and CWE mappings in the bundle, but the vulnerability is historically categorized as a critical remote root issue in FTP daemons of that era.

Likely exposure

Exposure is limited to legacy or unmaintained systems still running vintage wu-ftpd or BSDI ftpd with SITE EXEC enabled and reachable from untrusted networks. Modern environments should not have these daemons in production, but they may persist on forgotten Unix hosts, appliances, or lab systems.

Exploitation context

Not listed in CISA KEV. The bundle cites only an IBM X-Force reference and no active-exploitation evidence in current threat feeds. Historically, wu-ftpd SITE EXEC issues from this era were widely discussed and targeted, so any exposed legacy instance should be treated as opportunistically exploitable.

Researcher notes

Source bundle is thin: no CVSS, no CWE, no affected version list, and only an IBM X-Force reference. The 2024 update timestamp reflects CVE List housekeeping, not new exploitation data. Analysts should treat the flaw as a classic TOCTOU privilege-escalation pattern in a privileged FTP command handler and prioritize discovery over deep technical triage.

Mitigation direction

  • Retire or replace legacy wu-ftpd and BSDI ftpd services with a maintained SFTP or FTPS solution.
  • Disable the SITE EXEC feature on any FTP daemon where it is not strictly required.
  • Restrict FTP service reachability to trusted management networks via firewall or ACL.
  • Consult current vendor or distribution advisories for any residual FTP daemon before continued use.
  • Remove anonymous or unnecessary FTP accounts on hosts that must keep the service.

Validation and detection

  • Inventory hosts exposing TCP/21 and identify banner strings matching wu-ftpd or BSDI ftpd.
  • Confirm whether SITE EXEC is enabled by reviewing daemon configuration files.
  • Cross-check discovered FTP daemons against current vendor support and patch status.
  • Verify network exposure of FTP services from untrusted zones using external and internal scans.
  • Audit FTP server logs for unusual SITE EXEC usage or unexpected root-level activity.
Prepared
Confidence
medium
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-1999-0955 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
0Timeline events
0ADP providers
2Source links

CVSS and timeline data

No CVSS vectors or timeline events were available in the normalized CVE source material.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.