CVE-2026-28295
FTP GVfs Backend Trusts Malicious PASV Response, Enabling Network Port Scanning
Publication date: 2026-02-26
Last updated on: 2026-02-26
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gnome | gvfs | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "This vulnerability exists in the GVfs FTP backend when handling PASV (passive mode) responses from FTP servers. A malicious FTP server can send an arbitrary IP address and port in its PASV reply, which the client trusts without validation. As a result, the client attempts to connect to the specified IP and port, even if they are unrelated to the FTP server. This allows the malicious server to make the client connect to arbitrary endpoints, potentially probing for open ports accessible from the client's network."}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "The impact of this vulnerability is information disclosure through network probing. A malicious FTP server can exploit it to cause the client to connect to arbitrary IP addresses and ports, effectively scanning the client's network environment for open ports. This can reveal network topology or services running on the clientβs network that might otherwise be hidden, potentially aiding further attacks."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves the GVfs FTP backend unconditionally trusting the IP address and port provided in PASV responses from FTP servers, which can lead to the client connecting to arbitrary endpoints. Detection would involve monitoring FTP client connections for unusual or unexpected outbound connections to IP addresses and ports specified in PASV responses.'}, {'type': 'paragraph', 'content': 'You can detect exploitation attempts by capturing and analyzing FTP traffic, specifically PASV responses, and correlating them with subsequent outbound connection attempts from the client.'}, {'type': 'list_item', 'content': 'Use packet capture tools like tcpdump or Wireshark to monitor FTP control connections and identify PASV responses.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture FTP control traffic: tcpdump -i <interface> 'tcp port 21'"}, {'type': 'list_item', 'content': 'Inspect PASV responses in captured traffic for IP addresses and ports, then check if the client initiates connections to those endpoints.'}, {'type': 'list_item', 'content': 'Use netstat or ss on the client system to monitor active connections and identify unexpected outbound connections to IPs and ports indicated by PASV responses.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or monitoring FTP client connections to prevent arbitrary connections to IP addresses and ports specified by untrusted FTP servers.
Since no fixed version or patch is specified, consider the following actions:
- Avoid using the GVfs FTP backend to connect to untrusted or potentially malicious FTP servers.
- Implement network-level controls such as firewall rules to restrict outbound connections from the client to only trusted IP addresses and ports.
- Monitor FTP traffic and client connections for suspicious activity as described in detection steps.
- Consider disabling or limiting the use of passive mode FTP if possible, or use alternative secure file transfer methods.