CVE-2022-2560
📋 TL;DR
CVE-2022-2560 is an unauthenticated path traversal vulnerability in EnterpriseDT CompleteFTP Server that allows remote attackers to delete arbitrary files with SYSTEM privileges. The vulnerability exists due to improper path validation in the HttpFile class. All installations of CompleteFTP Server version 22.1.0 are affected.
💻 Affected Systems
- EnterpriseDT CompleteFTP Server
📦 What is this software?
Completeftp Server by Enterprisedt
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via deletion of critical system files, leading to OS corruption, service disruption, or potential privilege escalation to full SYSTEM control.
Likely Case
Service disruption through deletion of configuration files, web content, or user data, potentially causing business interruption and data loss.
If Mitigated
Limited impact if proper network segmentation and file system permissions are in place, though service disruption remains possible.
🎯 Exploit Status
ZDI published technical details but no public exploit code. The vulnerability is straightforward to exploit due to lack of authentication requirements.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.1.1 or later
Vendor Advisory: https://enterprisedt.com/products/completeftp/doc/guide/html/history.html
Restart Required: Yes
Instructions:
1. Download CompleteFTP Server version 22.1.1 or later from EnterpriseDT website. 2. Run the installer to upgrade. 3. Restart the CompleteFTP service. 4. Verify the new version is running.
🔧 Temporary Workarounds
Network Access Restriction
windowsRestrict network access to CompleteFTP Server to trusted IP addresses only
Use Windows Firewall: netsh advfirewall firewall add rule name="Block CompleteFTP" dir=in action=block protocol=TCP localport=21,990,8021,10000-10100 remoteip=any
Service Account Privilege Reduction
windowsRun CompleteFTP service under a limited user account instead of SYSTEM
1. Create limited user account. 2. In services.msc, change CompleteFTP service logon to this account. 3. Grant minimal necessary file permissions.
🧯 If You Can't Patch
- Immediately restrict network access to CompleteFTP Server using firewall rules to allow only trusted sources
- Implement strict file system permissions and monitor for unauthorized file deletion attempts
🔍 How to Verify
Check if Vulnerable:
Check CompleteFTP Server version in administration interface or via 'sc query CompleteFTPServer' and verify if version is 22.1.0Check Version:
sc query CompleteFTPServer | findstr "DISPLAY_NAME" or check in CompleteFTP Admin interfaceVerify Fix Applied:
Verify CompleteFTP Server version is 22.1.1 or later and test that file deletion via HTTP requests with path traversal payloads is blocked📡 Detection & Monitoring
Log Indicators:
- HTTP requests with path traversal patterns (../ sequences) to CompleteFTP endpoints
- Unexpected file deletion events in Windows Security logs
- CompleteFTP error logs showing file access violations
Network Indicators:
- HTTP requests to CompleteFTP web interface containing path traversal sequences
- Unusual file deletion patterns via FTP/HTTP protocols
SIEM Query:
source="CompleteFTP" AND (http_uri="*../*" OR event="FileDelete")