CVE-2023-27535 is an authentication bypass vulnerability identified in libcurl versions prior to 8.0.0, specifically affecting the FTP connection reuse feature. libcurl maintains a connection pool to optimize network operations by reusing previously established connections if they match the current connection parameters. However, this vulnerability arises because certain FTP-specific settings—namely CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL—were not included in the matching criteria for reusing connections. As a result, libcurl could mistakenly reuse a connection with credentials from a previous session that do not correspond to the current intended user or authentication context. This misalignment can lead to unauthorized access to sensitive data during FTP transfers, as the wrong credentials might be used without proper verification. The vulnerability is classified under CWE-305 (Authentication Bypass by Primary Weakness), indicating a fundamental flaw in the authentication mechanism. The issue was addressed and fixed in libcurl version 8.0.0. The CVSS v3.1 base score is 5.9 (medium severity), with the vector indicating network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), no integrity impact (I:N), and no availability impact (A:N). There are no known exploits in the wild at the time of publication.

For European organizations, this vulnerability poses a risk primarily to systems and applications that utilize libcurl for FTP operations, especially those that rely on connection reuse for performance optimization. Unauthorized use of incorrect credentials during FTP transfers could lead to unintended data disclosure, exposing sensitive information such as proprietary files, personal data, or configuration details. This is particularly concerning for sectors handling regulated or sensitive data, including finance, healthcare, and government agencies. The vulnerability does not affect integrity or availability directly but compromises confidentiality, which can lead to compliance violations under GDPR and other data protection regulations. Given libcurl's widespread use in various software and embedded systems, the impact could be broad, affecting internal tools, automated scripts, and third-party applications. The medium severity score reflects the requirement for high attack complexity, which somewhat limits exploitation likelihood, but the absence of required privileges or user interaction means remote attackers could potentially exploit this if they can initiate FTP transfers through vulnerable clients.

European organizations should prioritize upgrading libcurl to version 8.0.0 or later, where this vulnerability is fixed. For environments where immediate upgrade is not feasible, organizations should audit and restrict the use of FTP connection reuse features, especially in contexts where multiple user credentials are involved. Implement strict validation and isolation of FTP sessions to ensure credentials are not inadvertently shared across connections. Network segmentation and monitoring of FTP traffic can help detect anomalous access patterns. Additionally, organizations should review and harden FTP configurations, disabling unnecessary FTP options such as CURLOPT_FTP_ACCOUNT and CURLOPT_FTP_ALTERNATIVE_TO_USER if not required. Employing secure alternatives to FTP, such as SFTP or FTPS with proper authentication controls, can reduce exposure. Finally, integrate vulnerability scanning and software composition analysis into the development lifecycle to detect outdated libcurl versions and enforce timely patching.