Description
BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the Storage-Path configuration parameter that allows local attackers to crash the application by supplying an excessively long string value. Attackers can enable the Override Storage-Path setting and paste a buffer of 500 bytes or more to trigger an application crash when saving the configuration.
Published: 2026-03-22
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The storage-path configuration setting in BulletProof FTP Server 2019.0.0.50 accepts an excessively long string that causes the application to crash when the configuration is saved. An attacker with local privilege can enable the Override Storage-Path option and paste a buffer of 500 bytes or more, resulting in a denial of service for the FTP service while the server remains stuck until it is restarted. The flaw is caused by insufficient input validation of the length of the path string and is classified as a buffer overflow style issue (CWE-1282).

Affected Systems

BulletProof FTP Server version 2019.0.0.50, provided by Bpftpserver, is affected on Windows operating systems. This vulnerability does not exist in earlier or later releases of the product.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. Because the exploit requires local access and offers no way to execute arbitrary code, the risk is limited to a temporary service outage. The EPSS score of less than 1% reflects a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. This suggests that while the flaw is real, it is unlikely to be widely abused in the wild.

Generated by OpenCVE AI on March 25, 2026 at 22:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official patch for BulletProof FTP Server.
  • If a patch is not available, edit the configuration file to disable the Override Storage-Path option.
  • Restart the FTP service after modifying the configuration to ensure the change takes effect.
  • Monitor system logs for attempts to write oversized Storage-Path values or repeated service crashes.
  • Restrict local administrative access to the configuration files to reduce the risk of abuse.

Generated by OpenCVE AI on March 25, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bpftpserver:bulletproof_ftp_server:2019.0.0.50:*:*:*:*:*:*:*

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Bpftpserver
Bpftpserver bulletproof Ftp Server
Vendors & Products Bpftpserver
Bpftpserver bulletproof Ftp Server

Sun, 22 Mar 2026 00:30:00 +0000

Type Values Removed Values Added
Description BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the Storage-Path configuration parameter that allows local attackers to crash the application by supplying an excessively long string value. Attackers can enable the Override Storage-Path setting and paste a buffer of 500 bytes or more to trigger an application crash when saving the configuration.
Title BulletProof FTP Server 2019.0.0.50 Storage-Path Denial of Service
Weaknesses CWE-1282
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Bpftpserver Bulletproof Ftp Server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T19:51:45.392Z

Reserved: 2026-03-21T16:46:16.106Z

Link: CVE-2019-25587

cve-icon Vulnrichment

Updated: 2026-03-23T19:50:59.515Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-22T01:16:56.897

Modified: 2026-03-25T19:10:46.740

Link: CVE-2019-25587

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:20:36Z

Weaknesses