Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2021-46854

CVE-2021-46854: ProFTPD Information Disclosure Flaw

CVE-2021-46854 is an information disclosure vulnerability in ProFTPD mod_radius that exposes memory to RADIUS servers through improper data handling. This article covers technical details, affected versions, and mitigation.

Published: February 25, 2026

CVE-2021-46854 Overview

CVE-2021-46854 is a memory information disclosure vulnerability in the mod_radius module of ProFTPD, a popular open-source FTP server. The vulnerability exists in versions prior to 1.3.7c and allows sensitive memory contents to be disclosed to RADIUS servers due to improper handling of data blocks during authentication operations. The flaw stems from the module copying fixed 16-character blocks regardless of actual data length, potentially exposing uninitialized memory contents to external RADIUS authentication servers.

Critical Impact

Sensitive memory contents including potentially credentials, session tokens, or other confidential data may be leaked to RADIUS servers during authentication, enabling information disclosure attacks against ProFTPD deployments using RADIUS authentication.

Affected Products

  • ProFTPD versions prior to 1.3.7c
  • ProFTPD installations with mod_radius module enabled
  • Systems using RADIUS authentication with ProFTPD

Discovery Timeline

  • 2022-11-23 - CVE-2021-46854 published to NVD
  • 2025-04-28 - Last updated in NVD database

Technical Details for CVE-2021-46854

Vulnerability Analysis

The vulnerability resides in the mod_radius module which handles RADIUS-based authentication for ProFTPD. When constructing RADIUS authentication packets, the module copies data in fixed 16-character blocks. This implementation flaw means that when the actual data is shorter than 16 characters, the remaining bytes contain uninitialized memory contents. These memory contents are then transmitted to the RADIUS server as part of the authentication packet.

This type of memory disclosure vulnerability (classified as CWE-401: Missing Release of Memory after Effective Lifetime) can expose sensitive information that happens to reside in adjacent memory locations. The network-accessible nature of this vulnerability means an attacker controlling or monitoring a RADIUS server could passively collect disclosed memory contents from vulnerable ProFTPD installations.

Root Cause

The root cause is improper memory handling in the mod_radius module's packet construction logic. The code copies fixed 16-byte blocks without properly initializing or clearing the destination buffer, and without bounds checking to ensure only the intended data is copied. This results in memory contents beyond the intended data being included in outbound RADIUS packets. The fix, addressed in GitHub ProFTPD Pull Request #1285, ensures proper buffer handling to prevent memory leakage.

Attack Vector

The attack vector is network-based and does not require authentication or user interaction. An attacker who operates a malicious RADIUS server, or has compromised a legitimate RADIUS server, can passively collect memory contents disclosed by vulnerable ProFTPD installations. The disclosed memory may contain:

  • Fragments of user credentials from previous authentication attempts
  • Session tokens or internal state information
  • Configuration data or file paths
  • Other sensitive information residing in server memory

The vulnerability is exploited passively during normal authentication operations, making detection difficult without network traffic analysis.

Detection Methods for CVE-2021-46854

Indicators of Compromise

  • Unusual RADIUS packet sizes or malformed authentication requests originating from ProFTPD servers
  • RADIUS traffic containing unexpected binary data or memory fragments
  • Authentication packets with padding that contains non-null, non-random data patterns
  • Evidence of RADIUS server compromise or unauthorized RADIUS server connections

Detection Strategies

  • Audit ProFTPD version and verify mod_radius module status using proftpd -V command
  • Analyze RADIUS authentication traffic for anomalous packet contents using network monitoring tools
  • Review ProFTPD configuration files for mod_radius usage with grep -r "LoadModule mod_radius" /etc/proftpd/
  • Implement network segmentation monitoring between FTP and RADIUS servers
  • Deploy memory analysis tools to identify potential information leakage patterns

Monitoring Recommendations

  • Enable detailed logging for RADIUS authentication events in ProFTPD configuration
  • Monitor network traffic between ProFTPD servers and RADIUS infrastructure for unusual patterns
  • Implement alerting for connections to unauthorized or unexpected RADIUS servers
  • Review system logs for authentication anomalies or failed RADIUS communications

How to Mitigate CVE-2021-46854

Immediate Actions Required

  • Upgrade ProFTPD to version 1.3.7c or later immediately
  • If upgrade is not immediately possible, disable mod_radius module and use alternative authentication methods
  • Audit RADIUS server logs for potential information disclosure
  • Review network segmentation between FTP servers and RADIUS infrastructure
  • Assess whether sensitive data may have been exposed through RADIUS communications

Patch Information

The vulnerability is addressed in ProFTPD version 1.3.7c and later. Administrators should upgrade to the latest stable release. Detailed patch information is available in the ProFTPD Release Notes 1.3.7e. The fix ensures proper buffer handling to prevent memory contents from being leaked in RADIUS packets. Additional security advisories are available from Gentoo GLSA 202305-03.

Workarounds

  • Disable the mod_radius module if RADIUS authentication is not required
  • Implement network isolation between ProFTPD servers and RADIUS infrastructure to limit exposure
  • Use alternative authentication methods such as local authentication, LDAP, or SQL-based authentication
  • Deploy a reverse proxy or firewall rules to control and monitor RADIUS traffic
  • Consider encrypting RADIUS traffic using RadSec (RADIUS over TLS) to protect disclosed data in transit
bash
# Configuration example
# Disable mod_radius in ProFTPD configuration
# Edit /etc/proftpd/proftpd.conf and comment out or remove:
# LoadModule mod_radius.c

# Verify ProFTPD version
proftpd -V | grep "Version"

# Check if mod_radius is currently loaded
proftpd -l | grep mod_radius

# Restart ProFTPD after configuration changes
systemctl restart proftpd

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeInformation Disclosure
  • Vendor/TechProftpd
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability1.30%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-401
  • Technical References
  • Gentoo Bug Report #811495
  • GitHub ProFTPD Issue #1284
  • GitHub ProFTPD Pull Request #1285
  • Gentoo GLSA 202305-03
  • Vendor Resources
  • ProFTPD Release Notes 1.3.7e
  • Related CVEs
  • CVE-2021-47865: ProFTPD 1.3.7a DoS Vulnerability
  • CVE-2024-57392: ProFTPD Buffer Overflow RCE Vulnerability
  • CVE-2020-9273: ProFTPD Use-After-Free RCE Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English