Cerberus FTP Server Privilege Escalation Vulnerability

A vulnerability allowing local privilege escalation has been identified in Cerberus FTP Server on Windows, affecting versions through 2025.4.2. The issue arises from insecure inherited permissions that allow low-privileged users to replace legitimate update files with malicious executables. When the update process is initiated, the malicious file is executed with administrative privileges, leading to unauthorized access.

Impact

Exploitation of this vulnerability allows low-privileged users to gain local administrator rights on the affected system.

Reproduction

To reproduce this vulnerability, a low-privileged user must create a malicious executable named 'CerberusUpdate_amd64_2025.4.1.0.exe' and place it in the 'C:\ProgramData\Cerberus LLC\Cerberus FTP Server\installers' directory. This can be done by copying the file into the folder, which is writable by standard users. Once the malicious executable is in place, the administrative user can initiate the update process from the 'Help' menu. The update feature will download the legitimate installer into the same directory, but the low-privileged user can intercept this by replacing it with the pre-created malicious file. When the update is applied, the harmful executable will be executed with elevated privileges, allowing for privilege escalation.

Remediation

Users should update Cerberus FTP Server to version 2026.1 or later.