Description
SmartFTP Client 9.0.2615.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Host field. Attackers can paste a buffer of 300 repeated characters into the Host connection parameter to trigger an application crash.
Published: 2026-03-30
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

SmartFTP Client version 9.0.2615.0 contains a denial‑of‑service vulnerability that allows local users to crash the application by entering an excessively long string in the Host field. This buffer‑under‑validation flaw triggers an application crash when a Host value of 300 repeated characters is supplied, leading to an interruption of services for users relying on the client. The weakness is categorized as CWE‑466, reflecting inadequate input validation. There is no evidence of broader compromise such as code execution or data theft.

Affected Systems

The vulnerability affects SmartFTP Client version 9.0.2615.0 from the vendor Smartftp. No other versions are noted in the provided data.

Risk and Exploitability

The CVSS score of 6.9 indicates medium severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, further reducing the likelihood of active exploitation. The attack vector inferred from the description is local, requiring an attacker to have access to the system on which SmartFTP is running. Exploitation causes a client crash but does not elevate privileges or expose sensitive data, limiting the impact primarily to service availability on the affected host.

Generated by OpenCVE AI on April 8, 2026 at 17:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SmartFTP Client to the latest version that addresses the Host field validation flaw
  • If an update is unavailable, remove or restrict local users’ access to SmartFTP Client to prevent the adverse effect
  • Restart the application after any accidental crash and monitor the system for repeated denial‑of‑service incidents

Generated by OpenCVE AI on April 8, 2026 at 17:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:smartftp:smartftp:*:*:*:*:*:*:*:*

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Smartftp
Smartftp smartftp
Vendors & Products Smartftp
Smartftp smartftp

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Description SmartFTP Client 9.0.2615.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Host field. Attackers can paste a buffer of 300 repeated characters into the Host connection parameter to trigger an application crash.
Title SmartFTP Client 9.0.2615.0 Denial of Service via Host Field
Weaknesses CWE-466
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Smartftp Smartftp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-01T18:06:41.161Z

Reserved: 2026-03-30T11:00:13.926Z

Link: CVE-2018-25234

cve-icon Vulnrichment

Updated: 2026-04-01T18:06:34.306Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T12:16:17.510

Modified: 2026-04-08T16:37:56.523

Link: CVE-2018-25234

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:41Z

Weaknesses