Which versions of CompleteFTP are affected by this vulnerability?

CompleteFTP versions 10.0.0 through 23.0.4, released between December 2016 and December 2023, are affected by this vulnerability.

CompleteFTP 'Short-Sleeve' RSA and DSA Key Vulnerability Exposed

Q: What caused the 'short-sleeve' key vulnerability in CompleteFTP?

The vulnerability was due to a type mismatch in big-integer code, leading to the generation of RSA and DSA keys with predictable zero-bit patterns, making them susceptible to factoring attacks.

Q: How can users mitigate the 'short-sleeve' key vulnerability?

Users should upgrade to CompleteFTP version 26.1.0 or later, which includes a tool to detect and regenerate vulnerable keys, ensuring the security of their cryptographic implementations.

A critical flaw in CompleteFTP's key generation process led to weak 'short-sleeve' RSA and DSA keys, compromising encrypted communications. Discover the details and mitigation strategies.

Published: June 12, 2026

Share this on:

Executive Summary

In June 2026, researchers identified a vulnerability in RSA and DSA key generation within the CompleteFTP software, leading to the creation of 'short-sleeve' keys with predictable zero-bit patterns. This flaw, stemming from a type mismatch in big-integer code, resulted in the generation of weak cryptographic keys that could be easily factored, compromising the security of encrypted communications. The issue affected CompleteFTP versions 10.0.0 through 23.0.4, spanning from December 2016 to December 2023. EnterpriseDT, the developers of CompleteFTP, promptly released version 26.1.0 on May 8, 2026, which includes a tool to detect and regenerate vulnerable keys. (enterprisedt.jp)

This incident underscores the critical importance of rigorous code review and adherence to cryptographic standards in software development. It also highlights the necessity for organizations to regularly audit their cryptographic implementations to identify and mitigate potential vulnerabilities that could be exploited by attackers.

Why This Matters Now

The discovery of 'short-sleeve' RSA and DSA keys in widely used software like CompleteFTP reveals ongoing risks in cryptographic key generation processes. As cyber threats evolve, ensuring the robustness of cryptographic implementations is paramount to maintaining secure communications and data integrity.

Attack Path Analysis

An attacker exploited weak RSA keys generated by vulnerable versions of CompleteFTP to gain unauthorized access to systems. Upon access, the attacker escalated privileges by leveraging the compromised keys to obtain administrative control. The attacker then moved laterally across the network by accessing other systems using the same weak keys. Command and control were established through encrypted channels to maintain persistence and control over the compromised systems. Sensitive data was exfiltrated over these encrypted channels to external servers. Finally, the attacker caused significant impact by disrupting services and potentially deploying ransomware.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

High

Command & Control

High

Exfiltration

High

Impact

High

Initial Compromise

Description

Exploitation of weak RSA keys generated by vulnerable versions of CompleteFTP to gain unauthorized access.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2022-2560
CVSS 9.1
A path traversal vulnerability in EnterpriseDT CompleteFTP 22.1.0 allows unauthenticated remote attackers to delete arbitrary files with SYSTEM privileges.
Affected Products:
EnterpriseDT CompleteFTP – 22.1.0
Exploit Status:
no public exploit
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-2560 https://portswigger.net/daily-swig/completeftp-path-traversal-flaw-allowed-attackers-to-delete-server-files
CVE-2019-16116
CVSS 4.3
Information exposure in EnterpriseDT CompleteFTP Server prior to version 12.1.3 allows attackers to obtain the administrator password hash via the Bootstrap.log file.
Affected Products:
EnterpriseDT CompleteFTP – < 12.1.3
Exploit Status:
no public exploit
References:
https://osv.dev/vulnerability/CVE-2019-16116

MITRE ATT&CK® Techniques

Credential Access

T1552.004

Unsecured Credentials: Private Keys

Command and Control

T1573.002

Encrypted Channel: Asymmetric Cryptography

Impact

T1486

Data Encrypted for Impact

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Cryptographic Key Management

Control ID: 3.6

The incident highlights deficiencies in cryptographic key management practices, potentially violating PCI DSS requirements for secure key generation and storage.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.3

The vulnerability indicates a lack of comprehensive cybersecurity policies addressing secure software development and cryptographic controls, as mandated by NYDFS regulations.

DORA – ICT Risk Management Framework

Control ID: Article 6

The incident suggests inadequate ICT risk management practices, contravening DORA's requirements for identifying and mitigating ICT-related risks.

CISA ZTMM 2.0 – Data

Control ID: Pillar 3

The exposure of private keys due to flawed key generation processes indicates a failure to implement zero trust principles for data protection as outlined in CISA's Zero Trust Maturity Model.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident reflects insufficient implementation of cybersecurity risk management measures required by the NIS2 Directive to ensure the security of network and information systems.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

RSA cryptographic vulnerabilities in CompleteFTP compromise encrypted communications, violating PCI compliance requirements and exposing sensitive financial data to factorization attacks.

Health Care / Life Sciences

Short-sleeve RSA keys undermine HIPAA encryption standards, enabling unauthorized access to protected health information through polynomial-based cryptanalytic techniques exploiting implementation flaws.

Government Administration

Weak RSA key generation affects secure government communications and file transfers, compromising Zero Trust architectures and violating NIST cybersecurity framework requirements.

Computer Software/Engineering

CompleteFTP vulnerability demonstrates critical cryptographic implementation failures in software development, requiring immediate key regeneration and security assessment across enterprise applications.

Sources

Factoring "short-sleeve" RSA keys with polynomialshttps://blog.trailofbits.com/2026/06/12/factoring-short-sleeve-rsa-keys-with-polynomials/
Verified

CompleteFTP path traversal flaw allowed attackers to delete server fileshttps://portswigger.net/daily-swig/completeftp-path-traversal-flaw-allowed-attackers-to-delete-server-files

Verified

CVE-2022-2560 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2022-2560

Verified

Frequently Asked Questions

The vulnerability was due to a type mismatch in big-integer code, leading to the generation of RSA and DSA keys with predictable zero-bit patterns, making them susceptible to factoring attacks.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to exploit weak RSA keys, escalate privileges, and move laterally, thereby reducing the overall blast radius.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's unauthorized access would likely be constrained, limiting their ability to exploit weak RSA keys for initial entry.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges would likely be limited, reducing their control over the system.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement would likely be restricted, limiting their ability to access other systems using compromised keys.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's command and control channels would likely be detected and disrupted, reducing their ability to maintain persistence.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's data exfiltration attempts would likely be blocked, limiting the unauthorized transfer of sensitive data.

Impact (Mitigations)

The attacker's ability to disrupt services and deploy ransomware would likely be limited, reducing operational impact.

Impact at a Glance

Affected Business Functions

Secure File Transfer
Data Integrity
System Administration

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Potential exposure of sensitive data due to compromised cryptographic keys.

Recommended Actions

• Implement robust key generation practices to prevent the creation of weak cryptographic keys.
• Regularly audit and rotate SSH keys to mitigate the risk of unauthorized access.
• Enforce strict access controls and least privilege principles to limit the potential for lateral movement.
• Monitor network traffic for anomalies indicative of unauthorized command and control channels.
• Establish comprehensive incident response plans to quickly address and mitigate the impact of security breaches.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

CompleteFTP 'Short-Sleeve' RSA and DSA Key Vulnerability Exposed

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2022-2560

Affected Products:

Exploit Status:

References:

CVE-2019-16116

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Unsecured Credentials: Private Keys

Encrypted Channel: Asymmetric Cryptography

Data Encrypted for Impact

Potential Compliance Exposure

PCI DSS 4.0 – Cryptographic Key Management

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Data

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Financial Services

Health Care / Life Sciences

Government Administration

Computer Software/Engineering

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads