Description
FTP Voyager 16.2.0 contains a denial of service vulnerability that allows local attackers to crash the application by injecting oversized buffer data into the site profile IP field. Attackers can create a malicious site profile containing 500 bytes of repeated characters and paste it into the IP field to trigger a buffer overflow that crashes the FTP Voyager process.
Published: 2026-04-04
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

FTP Voyager 16.2.0 contains a buffer overflow in the site profile IP field that allows a local attacker to crash the application by inserting 500 bytes of repeated characters. The flaw is a classic over‑read/overwrite error (CWE‑787). Although the vulnerability does not expose sensitive data or enable code execution, the service becomes unavailable until restarted, resulting in downtime for FTP operations.

Affected Systems

The affected product is Serv‑U FTP Voyager version 16.2.0, as identified by the vendor and the associated CPE string. No other versions are listed as impacted.

Risk and Exploitability

The CVSS Base Score of 6.9 indicates moderate severity. With no EPSS score available and no listing in CISA’s KEV catalog, public exploitation appears limited. Attackers must have local access to create or modify a site profile, so the risk is greatest in environments where users possess configuration privileges.

Generated by OpenCVE AI on April 4, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security patch for FTP Voyager 16.2.0 or upgrade to a newer version that resolves the buffer overflow.
  • Restrict local user privileges so that only authorized administrators can create or modify site profiles.
  • If the site profile feature is not required, disable it to eliminate the attack surface.
  • Configure log monitoring to flag attempts to create or alter site profiles with unusually large IP field values, and set alerts for such events.

Generated by OpenCVE AI on April 4, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:solarwinds:ftp_voyager:*:*:*:*:*:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Serv-u
Serv-u ftp Voyager
Vendors & Products Serv-u
Serv-u ftp Voyager

Mon, 06 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description FTP Voyager 16.2.0 contains a denial of service vulnerability that allows local attackers to crash the application by injecting oversized buffer data into the site profile IP field. Attackers can create a malicious site profile containing 500 bytes of repeated characters and paste it into the IP field to trigger a buffer overflow that crashes the FTP Voyager process.
Title FTP Voyager 16.2.0 Denial of Service via Malformed Site Profile
First Time appeared Solarwinds
Solarwinds ftp Voyager
Weaknesses CWE-787
CPEs cpe:2.3:a:solarwinds:ftp_voyager:16.2.0:*:*:*:*:*:*:*
Vendors & Products Solarwinds
Solarwinds ftp Voyager
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Serv-u Ftp Voyager
Solarwinds Ftp Voyager
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T16:40:48.739Z

Reserved: 2026-04-04T13:28:29.879Z

Link: CVE-2018-25252

cve-icon Vulnrichment

Updated: 2026-04-06T16:40:39.735Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-04T14:16:21.367

Modified: 2026-04-20T14:33:37.820

Link: CVE-2018-25252

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:57:35Z

Weaknesses