If the server is only for internal use or specific clients, restrict access at the firewall level to known IP addresses.
The vulnerability is a buffer overflow in the FileZilla Server.exe executable, specifically in the handle_request function. This function is responsible for handling incoming FTP requests. filezilla server 0.9.60 beta exploit github
If an attacker is on the same network, they can sniff the admin password using tools like Wireshark. If the server is only for internal use
There are Metasploit modules designed for "post/windows/gather/credentials/filezilla_server" that can parse the XML configuration files to extract users and password hashes (often stored as MD5). Anonymous Access: written permission to test.
Never test exploit code against a system, network, or server that you do not own or have explicit, written permission to test.