Description
FTPShell Server 6.83 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the account name field. Attackers can trigger a denial of service by pasting a 417-byte payload into the 'Account name to ban' parameter within the Manage FTP Accounts interface.
Published: 2026-03-30
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

FTPShell Server 6.83 incorporates a buffer overflow that can be triggered by entering a 417‑byte string in the 'Account name to ban' field of the Manage FTP Accounts interface. The overflow resides in the account name handling code and causes the application to crash, resulting in a denial of service. This weakness is represented by CWE‑787, indicating a memory overwrite that compromises application stability.

Affected Systems

The affected product is FTPShell Server, distributed by Ftpshell, with version 6.83 specifically listed in the CVE data. The CPE strings also reference a 2002 release, but no explicit vulnerability is documented for that version. No other affected versions are identified in the provided information.

Risk and Exploitability

The CVSS score of 6.9 classifies the vulnerability as medium‑to‑high severity for a denial of service. EPSS data is unavailable, and the issue is not listed in CISA’s KEV catalog, suggesting no widely known exploitation. The attack requires local access and the ability to use the Manage FTP Accounts interface; a privileged local user can paste the overlong payload to crash the service, causing an outage. No additional exploitation conditions are mentioned.

Generated by OpenCVE AI on March 30, 2026 at 12:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released patch for FTPShell Server 6.83 or upgrade to a version that fixes the buffer overflow.
  • If a patch is not yet available, restrict local access to the Manage FTP Accounts interface or disable that feature until the fix is applied.
  • Monitor application logs for abnormal termination or repeated account deletion attempts and isolate affected systems if a denial of service is detected.

Generated by OpenCVE AI on March 30, 2026 at 12:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Description FTPShell Server 6.83 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the account name field. Attackers can trigger a denial of service by pasting a 417-byte payload into the 'Account name to ban' parameter within the Manage FTP Accounts interface.
Title FTPShell Server 6.83 Denial of Service via Account Name
First Time appeared Ftpshell
Ftpshell ftpshell Server
Weaknesses CWE-787
CPEs cpe:2.3:a:ftpshell:ftpshell_server:2002:*:*:*:*:*:*:*
cpe:2.3:a:ftpshell:ftpshell_server:6.83:*:*:*:*:*:*:*
Vendors & Products Ftpshell
Ftpshell ftpshell Server
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ftpshell Ftpshell Server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T16:00:21.098Z

Reserved: 2026-03-30T10:53:37.330Z

Link: CVE-2018-25226

cve-icon Vulnrichment

Updated: 2026-03-30T16:00:16.942Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T12:16:15.077

Modified: 2026-03-31T19:24:49.053

Link: CVE-2018-25226

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:41:06Z

Weaknesses