Description
BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the DNS Address field that allows local attackers to crash the application by supplying an excessively long string. Attackers can enable the DNS Address option in the Firewall settings and paste a buffer of 700 bytes to trigger a crash when the Test function is invoked.
Published: 2026-03-22
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

BulletProof FTP Server 2019.0.0.50 contains a flaw that permits a local attacker who can alter firewall settings to crash the service by entering an overly long string into the DNS Address field. When the Test function is triggered, the server processes a 700‑byte buffer and terminates unexpectedly, causing a service outage.

Affected Systems

The vulnerability affects the BulletProof FTP Server product, version 2019.0.0.50. Systems that enable the DNS Address option in their firewall configuration are susceptible.

Risk and Exploitability

Medium severity is reflected in the assessment score of 6.9, while the estimated chance of exploitation is very low, below 1%. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers require local access and appropriate privileges to modify firewall settings; no remote exploitation path is documented. Therefore, the overall risk is moderate in environments where local administrative functions are available but unlikely to be widely leveraged.

Generated by OpenCVE AI on March 25, 2026 at 22:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest patch or upgrade to a patched release that eliminates the DNS Address denial‑of‑service flaw.
  • If a patch is not yet available, disable the DNS Address option in the firewall configuration to eliminate the attack surface.
  • Restart the FTP service to apply configuration changes and confirm the service resumes normal operation.
  • Monitor service logs and performance metrics to ensure the application remains stable and to detect any unexpected restarts or crashes.

Generated by OpenCVE AI on March 25, 2026 at 22:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bpftpserver:bulletproof_ftp_server:2019.0.0.50:*:*:*:*:*:*:*

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Bpftpserver
Bpftpserver bulletproof Ftp Server
Vendors & Products Bpftpserver
Bpftpserver bulletproof Ftp Server

Sun, 22 Mar 2026 00:30:00 +0000

Type Values Removed Values Added
Description BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the DNS Address field that allows local attackers to crash the application by supplying an excessively long string. Attackers can enable the DNS Address option in the Firewall settings and paste a buffer of 700 bytes to trigger a crash when the Test function is invoked.
Title BulletProof FTP Server 2019.0.0.50 Denial of Service via DNS Address
Weaknesses CWE-1282
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Bpftpserver Bulletproof Ftp Server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-24T15:14:57.186Z

Reserved: 2026-03-21T16:46:27.878Z

Link: CVE-2019-25588

cve-icon Vulnrichment

Updated: 2026-03-24T14:01:18.536Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-22T01:16:57.083

Modified: 2026-03-25T19:06:18.830

Link: CVE-2019-25588

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:20:35Z

Weaknesses