highCVE-2026-60108

Zeek FTP Analyzer Uncontrolled Memory Consumption Vulnerability

Zeek before 8.0.9 contains an uncontrolled memory consumption vulnerability in the FTP analyzer that allows unauthenticated remote attackers to cause process termination by sending a crafted FTP control session negotiating AUTH GSSAPI followed by a large ADAT control line. Attackers can exploit the NVT_Analyzer component's lack of a maximum line length check, causing it to continuously double its internal buffer without bounds during base64 decoding of an attacker-controlled ADAT token, resulting in denial of service of the Zeek sensor.

ProductZeek
CVSS8.7
EPSSNot scored yet
UpdatedJuly 10, 2026

Quick answer

Zeek should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Zeek before 8.0.9

Fixed versions

  • 8.0.9

How to fix it

Zeek before 8.0.9 can consume unbounded memory in the FTP analyzer when processing crafted AUTH GSSAPI and ADAT control data. Upgrade Zeek sensors to 8.0.9 or later and restart workers so the patched analyzer is active. Prioritize sensors that inspect untrusted FTP traffic or high-volume network segments.

  1. Inventory Zeek sensors, package versions, containers, and appliances running the FTP analyzer.
  2. Upgrade Zeek to 8.0.9 or later across affected sensors.
  3. Restart Zeek workers and confirm the patched binary is active on every node.
  4. Restrict or filter untrusted FTP control traffic to vulnerable sensors until upgrades are complete where operationally safe.
  5. Review Zeek reporter logs, crash logs, and packet captures for AUTH GSSAPI followed by oversized ADAT lines.
  6. Add monitoring for repeated worker restarts, process termination, and FTP analyzer failures.
  7. Back up Zeek configuration and redeploy from trusted packages if sensors were unstable during attack attempts.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm all sensors report Zeek 8.0.9 or later.
  • Validate crafted large ADAT FTP control lines no longer cause memory exhaustion in a safe test environment.
  • Review Zeek logs for FTP analyzer crash patterns before and after the update.
  • Test normal FTP logging and detection workflows after remediation.
  • Run a Fixnx scan and confirm public monitoring or sensor administration interfaces are not exposed.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-60108?

Zeek versions listed as affected should be reviewed: Zeek before 8.0.9.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.