Description
Core FTP/SFTP Server 1.2 contains a buffer overflow vulnerability that allows attackers to crash the service by supplying an excessively long string in the User domain field. Attackers can paste a malicious payload containing 7000 bytes of data into the domain configuration to trigger an application crash and deny service.
Published: 2026-03-30
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

Core FTP/SFTP Server version 1.2 contains a buffer overflow in the User domain field. An attacker can inject a 7000-byte string into the domain configuration, causing the service to crash and deny availability. This vulnerability represents a high-impact denial of service condition classified as CWE-787.

Affected Systems

The affected product is Core FTP/SFTP Server 1.2, developed by Core FTP. No other versions are explicitly listed as vulnerable in the available data.

Risk and Exploitability

With a CVSS score of 8.7, the vulnerability is rated high severity. The EPSS score is not available, and the issue is not listed in the KEV catalog. The incident requires remote modification of the User domain configuration; while the exact attack vector is not detailed, it is inferred that an attacker with administrative access or remote configuration capabilities could exploit the overflow, resulting in service crashes. The risk of exploitation remains significant due to the high impact and lack of mitigation documentation.

Generated by OpenCVE AI on March 30, 2026 at 12:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Core FTP/SFTP Server to the latest release or apply the vendor's patch for the buffer overflow.
  • If an immediate upgrade is not possible, restrict or disable modifications to the User domain field to prevent excessive input lengths.
  • Restart the FTP/SFTP service after applying changes and monitor logs for any crashes.

Generated by OpenCVE AI on March 30, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Coreftp
Coreftp core Ftp/sftp Server
Vendors & Products Coreftp
Coreftp core Ftp/sftp Server

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Description Core FTP/SFTP Server 1.2 contains a buffer overflow vulnerability that allows attackers to crash the service by supplying an excessively long string in the User domain field. Attackers can paste a malicious payload containing 7000 bytes of data into the domain configuration to trigger an application crash and deny service.
Title Core FTP/SFTP Server 1.2 Denial of Service via Buffer Overflow
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Coreftp Core Ftp/sftp Server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T14:51:41.003Z

Reserved: 2026-03-30T10:56:05.639Z

Link: CVE-2019-25654

cve-icon Vulnrichment

Updated: 2026-03-30T12:49:58.710Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-30T12:16:18.150

Modified: 2026-03-30T13:26:07.647

Link: CVE-2019-25654

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:40:58Z

Weaknesses