Description
BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the SMTP configuration interface that allows local attackers to crash the application by supplying an oversized string. Attackers can input a buffer of 257 'A' characters in the SMTP Server field and trigger a crash by clicking the Test button.
Published: 2026-03-30
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

BulletProof FTP Server version 2019.0.0.50 has a flaw in the SMTP configuration interface that allows a malicious user to crash the application. By entering an overly long string—a buffer of 257 'A' characters—in the SMTP Server field and triggering the Test button, the program fails, resulting in a denial of service for the local user. This weakness is classified as CWE-1282, a local input validation vulnerability that impacts application availability. The impact is limited to consumers of the FTP service; once the crash occurs, the server stops servicing requests until restarted, disrupting legitimate users.

Affected Systems

The vulnerability is known to affect the BulletProof FTP Server product of Bpftpserver, specifically release 2019.0.0.50. No other versions or products are listed as affected in the data provided.

Risk and Exploitability

The CVSS score of 6.8 places this issue in the medium severity range, with an EPSS value below 1% indicating that widespread exploitation is currently unlikely. The vulnerability is not part of the CISA KEV catalog. Exploitation requires local access to the hosting machine or to the FTP server’s configuration interface; an attacker would supply the oversized string to trigger the crash. Because the attack is local and does not propagate remotely, the risk to external systems is reduced, but any attacker with local privileges could still disrupt service.

Generated by OpenCVE AI on April 1, 2026 at 05:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s official website for a patch or newer release

Generated by OpenCVE AI on April 1, 2026 at 05:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Bpftpserver
Bpftpserver bulletproof Ftp Server
CPEs cpe:2.3:a:bpftpserver:bulletproof_ftp_server:2019.0.0.50:*:*:*:*:*:*:*
Vendors & Products Bpftpserver
Bpftpserver bulletproof Ftp Server

Mon, 30 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Description BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the SMTP configuration interface that allows local attackers to crash the application by supplying an oversized string. Attackers can input a buffer of 257 'A' characters in the SMTP Server field and trigger a crash by clicking the Test button.
Title BulletProof FTP Server 2019.0.0.50 Denial of Service via SMTP
Weaknesses CWE-1282
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Bpftpserver Bulletproof Ftp Server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T11:23:59.161Z

Reserved: 2026-03-30T10:55:16.091Z

Link: CVE-2018-25229

cve-icon Vulnrichment

Updated: 2026-03-30T11:23:53.601Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T12:16:16.397

Modified: 2026-03-31T19:16:38.077

Link: CVE-2018-25229

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:54:20Z

Weaknesses