CVE-2019-9760 – CVE-2019-9760 is a critical remote code executi... (How to Fix)

Q: What is the severity of CVE-2019-9760?

CVE-2019-9760 has a CVSS score of 9.8 (CRITICAL). CVE-2019-9760 is a critical remote code execution vulnerability in FTPGetter Standard FTP client software. When users connect to a malicious FTP server, crafted responses can trigger memory corruption leading to arbitrary code execution or client crashes. This affects all users of FTPGetter Standard version 5.97.0.177 who connect to untrusted FTP servers.

📋 TL;DR

CVE-2019-9760 is a critical remote code execution vulnerability in FTPGetter Standard FTP client software. When users connect to a malicious FTP server, crafted responses can trigger memory corruption leading to arbitrary code execution or client crashes. This affects all users of FTPGetter Standard version 5.97.0.177 who connect to untrusted FTP servers.

💻 Affected Systems

Products:

FTPGetter Standard

Versions: Version 5.97.0.177

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of this specific version are vulnerable when connecting to FTP servers. The vulnerability is in the client software itself, not server-side.

📦 What is this software?

Ftpgetter by Ftpgetter

View all CVEs affecting Ftpgetter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the victim's machine, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Remote code execution allowing attackers to install malware, steal credentials, or use the compromised system as a foothold for further attacks.

🟢

If Mitigated

Denial of service through client crashes if memory corruption doesn't lead to successful code execution.

🌐 Internet-Facing: HIGH - Attackers can host malicious FTP servers on the internet and trick users into connecting, or compromise legitimate FTP servers to serve malicious responses.

🏢 Internal Only: MEDIUM - Risk exists if internal users connect to compromised internal FTP servers or if attackers gain internal network access to set up malicious FTP servers.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit scripts are available, including Python scripts that demonstrate both RCE and crash capabilities. Exploitation requires user interaction to initiate FTP connection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 5.97.0.177

Vendor Advisory: Not publicly documented in vendor advisory format

Restart Required: Yes

Instructions:

1. Open FTPGetter Standard. 2. Navigate to Help > Check for Updates. 3. Install the latest available update. 4. Restart the application. 5. Verify version is no longer 5.97.0.177.

🔧 Temporary Workarounds

Network Segmentation

all

Block outbound FTP connections to untrusted networks and restrict FTP usage to approved internal servers only.

Application Control

windows

Disable or uninstall FTPGetter Standard until patched, and use alternative FTP clients that are not vulnerable.

🧯 If You Can't Patch

Implement strict outbound firewall rules to block FTP connections (TCP port 21) to all but approved, trusted FTP servers.
Educate users to never connect to unknown or untrusted FTP servers and consider using SFTP/FTPS alternatives instead of plain FTP.

🔍 How to Verify

Check if Vulnerable:

Check FTPGetter Standard version by opening the application and navigating to Help > About. If version is exactly 5.97.0.177, the system is vulnerable.

Check Version:

Not applicable via command line - must check through application GUI

Verify Fix Applied:

After updating, verify the version is no longer 5.97.0.177. Test connecting to a known safe FTP server to ensure functionality.

📡 Detection & Monitoring

Log Indicators:

Multiple failed FTP connection attempts followed by successful connection to suspicious IPs
Application crash logs from FTPGetter with memory access violations

Network Indicators:

Outbound FTP connections to unknown or suspicious IP addresses
Unusual network traffic patterns following FTP connections

SIEM Query:

source="ftpgetter.log" AND (event="crash" OR event="memory_access_violation") OR dest_port=21 AND src_ip=[internal_range] AND dest_ip NOT IN [approved_ftp_servers]

📊 Metadata

CVE ID: CVE-2019-9760

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: March 14, 2019

Last Updated: November 21, 2024

🔗 References

https://github.com/w4fz5uck5/FTPGetter/blob/master/xpl.py Exploit,Third Party Advisory
https://www.exploit-db.com/exploits/46543/ Exploit,Third Party Advisory,VDB Entry
https://github.com/w4fz5uck5/FTPGetter/blob/master/xpl.py Exploit,Third Party Advisory
https://www.exploit-db.com/exploits/46543/ Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-9760, you might also want to check these: