A vulnerability was identified in FTP clients and libraries that allows malicious servers to create or overwrite files anywhere on the local file system, due to a lack of validation of filenames returned by the server. This can be exploited by an attacker to execute arbitrary code, such as overriding the authorized_keys file for the root user on an Apache Hive instance. The vulnerability was discovered in November 2017 and responsibly disclosed to several affected vendors, who plan to release a fixed version by the end of February 2018. It is essential that inputs are validated to prevent similar issues, especially when processing directory listings from FTP servers, and to ensure the security of applications and libraries that use these protocols.