Description
MiniFtp contains a buffer overflow vulnerability in the parseconf_load_setting function that allows local attackers to execute arbitrary code by supplying oversized configuration values. Attackers can craft a miniftpd.conf file with values exceeding 128 bytes to overflow stack buffers and overwrite the return address, enabling code execution with root privileges.
Published: 2026-03-22
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Patch Immediately
AI Analysis

Impact

MiniFtp contains a buffer overflow in the parseconf_load_setting function that allows a local attacker to supply oversized configuration values exceeding 128 bytes. By crafting a malicious miniftpd.conf file, the attacker can overflow a stack buffer and overwrite the return address, leading to execution of arbitrary code with root privileges. The weakness is a classic stack-based buffer overflow (CWE-787). The impact enables the attacker to gain full control over the system running MiniFtp, compromising confidentiality, integrity, and availability. This attack requires local access to modify the configuration file, as the vulnerability is triggered only when the daemon parses the file during startup.

Affected Systems

The affected product is MiniFtp from SkyQinSC. No specific version range is listed in the advisory; version information is missing. Therefore, all versions of MiniFtp that still parse unfettered configuration files are potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity. EPSS data is unavailable, so the probability of exploitation in the wild cannot be quantified. The vulnerability has not been cataloged in CISA’s KEV list. The likely attack vector is local, requiring the attacker to modify the configuration file before starting MiniFtp. Once exploited, the attacker achieves root-level code execution, which is a critical risk for any system where MiniFtp is in use.

Generated by OpenCVE AI on March 22, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor-released patch or upgrade MiniFtp to the latest available version
  • Ensure that only privileged users can create or modify the miniftpd.conf file
  • Restrict MiniFtp’s network exposure and disable the service if it is not required
  • Monitor system logs for anomalous activity related to MiniFtp
  • If a patch is not available, consider removing or decommissioning MiniFtp from the environment

Generated by OpenCVE AI on March 22, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Skyqinsc
Skyqinsc miniftp
Vendors & Products Skyqinsc
Skyqinsc miniftp

Sun, 22 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description MiniFtp contains a buffer overflow vulnerability in the parseconf_load_setting function that allows local attackers to execute arbitrary code by supplying oversized configuration values. Attackers can craft a miniftpd.conf file with values exceeding 128 bytes to overflow stack buffers and overwrite the return address, enabling code execution with root privileges.
Title MiniFtp parseconf_load_setting Buffer Overflow via Configuration
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Skyqinsc Miniftp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T19:11:13.237Z

Reserved: 2026-03-22T13:21:28.506Z

Link: CVE-2019-25611

cve-icon Vulnrichment

Updated: 2026-03-23T19:11:04.674Z

cve-icon NVD

Status : Deferred

Published: 2026-03-22T14:16:29.360

Modified: 2026-04-16T16:19:50.757

Link: CVE-2019-25611

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:46:05Z

Weaknesses