CVE-2021-41635
📋 TL;DR
CVE-2021-41635 is a privilege escalation vulnerability in MELAG FTP Server 2.2.0.4, where the service runs as SYSTEM on Windows, allowing remote attackers to gain full administrative control over the host system if misconfigurations or other vulnerabilities are exploited. This affects organizations using this specific FTP server version installed as a Windows service.
💻 Affected Systems
- MELAG FTP Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote attackers gain SYSTEM-level access, enabling complete compromise of the host, data theft, ransomware deployment, or lateral movement across the network.
Likely Case
Attackers exploit the elevated privileges to install malware, exfiltrate sensitive data, or pivot to other systems in the network.
If Mitigated
Impact is limited if the service is not exposed to untrusted networks, but local privilege escalation risks remain if other vulnerabilities exist.
🎯 Exploit Status
Exploitation requires combining this with other vulnerabilities or misconfigurations in the FTP server, but details are publicly available in advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to a version beyond 2.2.0.4; check vendor for specific fixed version.
Vendor Advisory: https://www.securesystems.de/blog/advisory-and-exploitation-the-melag-ftp-server/
Restart Required: Yes
Instructions:
1. Download the latest version from the MELAG vendor. 2. Uninstall the current version. 3. Install the updated version. 4. Restart the system to apply changes.
🔧 Temporary Workarounds
Change Service Account
windowsModify the MELAG FTP Server service to run under a non-SYSTEM, least-privilege account to reduce impact.
sc config "MELAG FTP Server" obj= "DOMAIN\User" password= "password"
sc stop "MELAG FTP Server"
sc start "MELAG FTP Server"
Network Segmentation
windowsRestrict network access to the FTP server using firewalls to limit exposure to trusted IPs only.
New-NetFirewallRule -DisplayName "Block FTP Except Trusted" -Direction Inbound -Protocol TCP -LocalPort 21 -RemoteAddress "TrustedIPRange" -Action Allow
New-NetFirewallRule -DisplayName "Deny Other FTP" -Direction Inbound -Protocol TCP -LocalPort 21 -Action Block
🧯 If You Can't Patch
- Disable or uninstall the MELAG FTP Server if not essential, and use alternative secure FTP solutions.
- Implement strict network controls and monitor for unusual activity, such as unauthorized access attempts or privilege escalation.
🔍 How to Verify
Check if Vulnerable:
Check the installed version of MELAG FTP Server; if it is 2.2.0.4 and running as a Windows service, it is vulnerable.Check Version:
wmic product where name="MELAG FTP Server" get versionVerify Fix Applied:
Verify the version is updated beyond 2.2.0.4 and confirm the service is not running as SYSTEM by checking service properties.📡 Detection & Monitoring
Log Indicators:
- Unusual FTP login attempts, privilege escalation events in Windows Event Logs (e.g., Event ID 4672).
Network Indicators:
- Anomalous FTP traffic patterns, connections from untrusted IPs to port 21.
SIEM Query:
source="windows" EventID=4672 OR source="ftp" action="failed login" | stats count by src_ip