Security readout for executives and security teams
Plain-English summary
FreeFloat FTP Server can let unauthenticated remote users upload files into sensitive Windows locations. The source bundle describes conditions that can lead to code execution as SYSTEM. This is most urgent where the FTP service is still deployed, reachable, or installed on legacy Windows systems.
Executive priority
Prioritize immediate discovery and removal of exposed instances. This is a critical unauthenticated RCE path, but urgency depends on whether the obsolete FTP server exists in the environment and is reachable.
Technical view
The issue combines missing authentication, arbitrary file upload, and overly broad filesystem access. The server accepts empty credentials, exposes the C:\ drive root, and does not constrain destination paths or file types. Uploads to sensitive Windows directories can be processed by WMI, enabling SYSTEM-level remote code execution.
Likely exposure
Exposure is likely limited to organizations still running FreeFloat FTP Server, particularly legacy or forgotten Windows hosts. The bundle lists FreeFloat FTP Server as affected but does not provide precise version or CPE data, so asset confirmation must be service- and software-based.
Exploitation context
The bundle includes public exploit references from Metasploit and Exploit-DB. However, KEV is false and the provided sources do not state active exploitation. Treat internet-facing instances as high-risk because exploitation requires no credentials or user interaction.
Researcher notes
The strongest evidence is the design-flaw description and public exploit references. Evidence is incomplete on supported versions, fixed releases, and real-world exploitation. Avoid assuming current exploitation without additional telemetry or a KEV listing.
Mitigation direction
- Remove or disable FreeFloat FTP Server, especially on internet-facing Windows hosts.
- Restrict FTP access to trusted networks while confirming exposure and vendor guidance.
- Prevent FTP write access to Windows system and WMI directories.
- Monitor for unexpected files in sensitive Windows directories.
- Check vendor or trusted advisories; the bundle does not name a patch.
Validation and detection
- Inventory Windows hosts for FreeFloat FTP Server installations or running FTP listeners.
- Confirm whether the FTP service is reachable from untrusted networks.
- Review FTP configuration for anonymous or empty-credential access.
- Audit upload paths and filesystem permissions for system directory write access.
- Check logs for unauthenticated uploads or unexpected administrative file writes.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-306: Credential and account abuse lookup
Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCWE-434: File access and web shell behavior lookup
File traversal and upload weaknesses can lead teams to review file, web shell, execution, and collection telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCWE-732: Authorization and privilege behavior lookup
Authorization weaknesses can support privilege escalation and valid-account review, depending on exploit path. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupExecution behavior lookup
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupFile access behavior lookup
The CVE wording references file access or upload behavior, so file telemetry and web shell review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2012-10030 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Critical
- CVSS
- 9.3 (4.0)
- Known Exploited
- No
- Published
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N——Primary CVE scoreVulnerability scoring details
Base CVSS 4.0 score
9.3CriticalVector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Source materials
- CVE List V5 sourceCVE List V5
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/ftp/freefloatftp_wbem.rbCVE reference · exploit
- https://www.exploit-db.com/exploits/23226CVE reference · exploit
- https://www.fortiguard.com/encyclopedia/ips/34209/freefloat-ftp-server-arbitrary-file-uploadCVE reference · third-party-advisory
- https://archive.org/details/tucows_367516_Freefloat_FTP_ServerCVE reference · product
- https://www.vulncheck.com/advisories/freefloat-ftp-server-arbitrary-file-uploadCVE reference · third-party-advisory
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
