Description
BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the SMTP configuration interface that allows local attackers to crash the application by supplying an oversized string. Attackers can input a buffer of 257 'A' characters in the SMTP Server field and trigger a crash by clicking the Test button.
Published: 2026-03-30
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The vulnerability resides in the SMTP configuration interface of BulletProof FTP Server version 2019.0.0.50. An oversized input can trigger a crash when the Test button is used, resulting in a denial of service. The weakness, classified as CWE‑1282, allows an attacker to supply a buffer of 257 'A' characters to cause the application to crash.

Affected Systems

BulletProof FTP Server 2019.0.0.50, produced by Bpftpserver. The issue is present only in that specific release; users should verify whether newer or older versions are impacted.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity. No EPSS score is available, so the likelihood of exploitation is uncertain. Based on the description, the attack vector is local – an attacker with access to the SMTP configuration interface can trigger the crash. The KEV database shows no listed exploitation of this flaw. While the vulnerability does not enable remote code execution, it provides an attacker local privilege to interrupt service availability, which can be disruptive in shared environments.

Generated by OpenCVE AI on March 30, 2026 at 12:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patched version of BulletProof FTP Server once the vendor releases it.
  • Until a patch is available, disable the SMTP configuration interface or restrict local access to the Test button to prevent accidental execution of the vulnerable code.
  • Check the vendor’s website or security advisories for updates and monitor for any new patches or workarounds.

Generated by OpenCVE AI on March 30, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Bpftpserver
Bpftpserver bulletproof Ftp Server
CPEs cpe:2.3:a:bpftpserver:bulletproof_ftp_server:2019.0.0.50:*:*:*:*:*:*:*
Vendors & Products Bpftpserver
Bpftpserver bulletproof Ftp Server

Mon, 30 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Description BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the SMTP configuration interface that allows local attackers to crash the application by supplying an oversized string. Attackers can input a buffer of 257 'A' characters in the SMTP Server field and trigger a crash by clicking the Test button.
Title BulletProof FTP Server 2019.0.0.50 Denial of Service via SMTP
Weaknesses CWE-1282
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Bpftpserver Bulletproof Ftp Server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T11:23:59.161Z

Reserved: 2026-03-30T10:55:16.091Z

Link: CVE-2018-25229

cve-icon Vulnrichment

Updated: 2026-03-30T11:23:53.601Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T12:16:16.397

Modified: 2026-03-31T19:16:38.077

Link: CVE-2018-25229

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:41:04Z

Weaknesses