Description
FTP Shell Server 6.83 contains a buffer overflow vulnerability in the 'Account name to ban' field that allows local attackers to execute arbitrary code by supplying a crafted string. Attackers can inject shellcode through the account name parameter in the Manage FTP Accounts dialog to overwrite the return address and execute calc.exe or other commands.
Published: 2026-03-22
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Code Execution
Action: Immediate Patch
AI Analysis

Impact

FTP Shell Server 6.83 includes a buffer overflow in the 'Account name to ban' field that lets a local attacker supply a crafted string and overwrite the return address. The attacker can inject shellcode and execute arbitrary commands, such as launching calc.exe or other programs, thereby gaining control over the application process with the privileges of the FTP Shell Server service.

Affected Systems

The vulnerability affects Ftpshell's FTP Shell Server product, version 6.83. No other versions or vendors are listed in the CNA data.

Risk and Exploitability

The CVSS score of 8.6 classifies the issue as high severity, but the EPSS score indicates a very low probability of exploitation via the public internet. Because the flaw requires local access to the Manage FTP Accounts dialog, the attack vector is likely local. The vulnerability is not listed in the CISA KEV catalog. An attacker with local system access can execute arbitrary code, potentially compromising the entire host.

Generated by OpenCVE AI on April 3, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch or upgrade to a newer, non‑vulnerable release of FTP Shell Server.
  • Restrict local access to accounts that can use the Manage FTP Accounts dialog to privileged or least‑privileged users.
  • Audit system logs for signs of unauthorized process creation or shellcode execution.
  • If a patch is not yet available and the service cannot be upgraded, consider disabling the FTP Shell Server service until a fix is applied.

Generated by OpenCVE AI on April 3, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ftpshell:ftpshell_server:6.83:*:*:*:*:*:*:*

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Ftpshell
Ftpshell ftpshell Server
Vendors & Products Ftpshell
Ftpshell ftpshell Server

Sun, 22 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description FTP Shell Server 6.83 contains a buffer overflow vulnerability in the 'Account name to ban' field that allows local attackers to execute arbitrary code by supplying a crafted string. Attackers can inject shellcode through the account name parameter in the Manage FTP Accounts dialog to overwrite the return address and execute calc.exe or other commands.
Title FTP Shell Server 6.83 Buffer Overflow via Account Name
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ftpshell Ftpshell Server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T16:14:40.047Z

Reserved: 2026-03-22T13:34:07.967Z

Link: CVE-2019-25619

cve-icon Vulnrichment

Updated: 2026-03-23T16:14:36.818Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-22T14:16:30.873

Modified: 2026-04-03T14:33:32.480

Link: CVE-2019-25619

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:18:13Z

Weaknesses