Description
Free Float FTP 1.0 contains a buffer overflow vulnerability in the STOR command handler that allows remote attackers to execute arbitrary code by sending a crafted STOR request with an oversized payload. Attackers can authenticate with anonymous credentials and send a malicious STOR command containing 247 bytes of padding followed by a return address and shellcode to trigger code execution on the FTP server.
Published: 2026-03-22
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

Free Float FTP 1.0 contains a buffer overflow in the handler for the STOR command. A remote attacker can connect to the FTP service, authenticate with anonymous credentials, and send a STOR request that includes 247 bytes of padding followed by a crafted return address and shellcode. This overflows a buffer and causes the server to execute the injected code, allowing the attacker to run arbitrary commands on the FTP server.

Affected Systems

The vulnerability affects Free Float FTP Server version 1.0, delivered by Freefloat. No other versions are listed. Site‑administrators should confirm whether this exact software is in use and if the STOR command is enabled.

Risk and Exploitability

The CVSS score of 9.3 indicates high severity. EPSS shows exploitation probability lower than 1%, and the flaw is not currently listed in the CISA KEV catalog. The attack vector is inferred from the description as remote network access via the FTP protocol using anonymous login, which requires no privilege beyond the default access granted to unauthenticated users. Because the flaw permits arbitrary code execution, it poses a significant risk and demands prompt remediation.

Generated by OpenCVE AI on March 23, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of Free Float FTP if a newer release is available
  • If no patch exists, disable anonymous login or restrict access to trusted networks
  • Monitor FTP logs for abnormal STOR commands and potential exploitation attempts

Generated by OpenCVE AI on March 23, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freefloat:freefloat_ftp_server:1.0:*:*:*:*:*:*:*

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Freefloat
Freefloat freefloat Ftp Server
Vendors & Products Freefloat
Freefloat freefloat Ftp Server

Sun, 22 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description Free Float FTP 1.0 contains a buffer overflow vulnerability in the STOR command handler that allows remote attackers to execute arbitrary code by sending a crafted STOR request with an oversized payload. Attackers can authenticate with anonymous credentials and send a malicious STOR command containing 247 bytes of padding followed by a return address and shellcode to trigger code execution on the FTP server.
Title Free Float FTP 1.0 STOR Command Remote Buffer Overflow
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Freefloat Freefloat Ftp Server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T15:29:55.416Z

Reserved: 2026-03-22T13:27:08.647Z

Link: CVE-2019-25614

cve-icon Vulnrichment

Updated: 2026-03-23T15:29:50.568Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-22T14:16:29.930

Modified: 2026-03-23T19:42:13.470

Link: CVE-2019-25614

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:50:44Z

Weaknesses