Protect What Matters
Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
CVE-2021-30047 Vulnerability: Full Overview
Written by: Nadine Rozell
Published: 04/24/2026
What is CVE-2021-30047 vulnerability?
CVE-2021-30047 is a Remote Denial of Service (DoS) vulnerability affecting the vsftpd (Very Secure FTP Daemon) server, specifically version 3.0.3.
The vulnerability stems from an issue in how the daemon handles concurrent connections. By spawning a large number of connections that remain active or in a specific state, a remote attacker can exhaust the available connection slots allowed by the server configuration. This prevents legitimate users from establishing new connections, effectively rendering the FTP service unavailable. While it does not allow for data theft or remote code execution, it is a significant availability risk for public-facing FTP servers.
When was it discovered?
The vulnerability was assigned a CVE ID in 2021 but was formally published in the National Vulnerability Database (NVD) on August 22, 2023. The exploit logic, often referred to as "vsftpd 3.0.3 - Remote Denial of Service," appeared in public exploit databases (such as Exploit-DB) as early as 2021.
Affected products & versions
The vulnerability specifically targets the 3.0.3 branch of vsftpd, which is widely used across many Linux distributions.
Product | Versions Affected | Fixed Versions / Mitigation |
vsftpd | 3.0.3 | Configuration changes or upstream patches (Distro dependent) |
Linux Distros | Various (Debian, RedHat, etc.) running vsftpd 3.0.3 | Apply mitigation settings in vsftpd.conf |
CVE-2021-30047 technical description
The vulnerability exploits the default connection handling mechanisms of the vsftpd daemon.
By design, vsftpd has parameters to limit the number of concurrent clients (max_clients) and the number of connections per IP address (max_per_ip). However, in default or improper configurations, an attacker can rapidly initiate a storm of connection requests.
The exploit works by creating multiple sockets and connecting to the target FTP server (TCP port 21) without closing them. The server allocates resources (process or thread) for each connection. Once the limit is reached, the server stops accepting new connections, replying with error codes such as 421 There are too many connected users, please try later..
Unlike complex buffer overflows, this is a resource exhaustion attack. The "exploit" script simply automates the process of filling up these slots faster than the server can time them out.
Tactics, Techniques & Procedures (TTPs)
Attackers leverage this vulnerability primarily for Service Disruption (Impact).
Reconnaissance: Attackers scan for open port 21 and grab the banner to identify the version as vsftpd 3.0.3.
Exploitation: A script is launched that opens hundreds or thousands of connections to the target IP. The attacker does not need to authenticate; the initial handshake is sufficient to consume a slot.
Persistence (of effect): The attacker maintains these open sockets, sending "keep-alive" packets to prevent the server from dropping them due to inactivity.
Indicators of compromise
Service Unavailability: Legitimate users report being unable to connect to the FTP server, receiving "Too many connected users" errors.
Log Volume: System logs (e.g., /var/log/vsftpd.log or syslog) show a massive influx of connection attempts from a single IP or a small range of IPs.
Process Spikes: An unusually high number of vsftpd child processes visible in process monitoring tools (like top or htop), even if CPU usage is low.
Known proof-of-concepts & exploits
A public Proof-of-Concept (PoC) exploit is available on Exploit-DB (ID: 49719).
The script is a simple Python program that utilizes threading to spawn multiple socket connections to the target server. Because of its simplicity, it is easily modified and integrated into botnets for distributed denial-of-service (DDoS) attacks.
How to detect CVE-2021-30047 vulnerability?
Banner Grabbing: Check the FTP banner for the version string (vsftpd 3.0.3).
Configuration Audit: Review /etc/vsftpd.conf to check if max_per_ip and max_clients are set to appropriately low values. If max_per_ip is set to 0 (unlimited) or a very high number, the system is highly susceptible.
Network Monitoring: Alert on a high count of concurrent TCP connections to port 21 from a single external IP address.
Impact & risk of CVE-2021-30047 vulnerability
The risk is rated as High (CVSS 7.5), specifically affecting Availability.
For organizations that rely on FTP for critical data transfers (e.g., automated backups, file ingestion pipelines), this vulnerability can stop operations entirely. It does not, however, compromise the confidentiality of the data or the integrity of the server files.
Mitigation & remediation strategies
Since this exploits a resource limit, mitigation often involves hardening the configuration rather than just applying a binary patch.
Configure Connection Limits: Edit your vsftpd.conf file to strictly limit connections. Set max_per_ip to a reasonable number (e.g., 5 or 10) to prevent a single attacker from consuming all slots.
Enable Rate Limiting: Use firewall rules (iptables or nftables) to rate-limit new connections to port 21 (e.g., allowing only 10 new connections per minute from a single IP).
Update Software: Ensure your Linux distribution packages are up to date, as some maintainers may have backported fixes that handle connection throttling better.
CVE-2021-30047 Vulnerability FAQs
CVE-2021-30047 is a Denial of Service vulnerability in vsftpd 3.0.3. It works by allowing an attacker to open thousands of connections to the server, using up all available "slots" so that no one else can log in.
It does not infect systems with malware. Instead, it crashes the FTP service or makes it unreachable. Attackers use it to disrupt business operations rather than to steal data or install viruses.
Yes, specifically for servers that are misconfigured. If an administrator has not set limits on how many connections a single user can make (max_per_ip), the server remains vulnerable to this simple attack.
The best protection is proper configuration. Edit the vsftpd configuration file to limit connections per IP address (max_per_ip=10) and use a firewall to block repeated connection attempts from the same source.
