Description
Core FTP/SFTP Server 1.2 contains a buffer overflow vulnerability that allows attackers to crash the service by supplying an excessively long string in the User domain field. Attackers can paste a malicious payload containing 7000 bytes of data into the domain configuration to trigger an application crash and deny service.
Published: 2026-03-30
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

A buffer overflow exists in Core FTP/SFTP Server version 1.2 that is triggered when an attacker supplies an excessively long string in the User domain field. The overflow can happen when a malicious payload of about 7000 bytes is pasted into the domain configuration, causing the application to crash and the service to become unavailable. This flaw directly results in a denial‑of‑service condition for users of the server.

Affected Systems

The vulnerability affects Core FTP/SFTP Server 1.2, the only affected software listed by the CNA. No other products or versions are mentioned as vulnerable.

Risk and Exploitability

The flaw carries a CVSS score of 8.7 and an EPSS score of less than 1%, indicating that while the vulnerability is severe, the probability that it is currently exploited is low. It is not present in the CISA Known Exploited Vulnerabilities catalog. The most likely attack vector is remote: an attacker can send the long string to the FTP/SFTP server over the network, inserting the payload into the domain configuration. If executed, the server will crash, denying service to legitimate users.

Generated by OpenCVE AI on April 8, 2026 at 17:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available patch or upgrade to a non‑vulnerable version of Core FTP/SFTP Server.
  • If a patch is not yet available, restrict external access to the FTP/SFTP service using firewalls or network segmentation to limit exposure to untrusted clients.
  • Monitor server logs and process states for unexpected crashes and consider disabling the vulnerable domain configuration feature until remedial action is performed.

Generated by OpenCVE AI on April 8, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Coreftp core Ftp
CPEs cpe:2.3:a:coreftp:core_ftp:1.2:*:*:*:*:*:*:*
Vendors & Products Coreftp core Ftp

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Coreftp
Coreftp core Ftp/sftp Server
Vendors & Products Coreftp
Coreftp core Ftp/sftp Server

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Description Core FTP/SFTP Server 1.2 contains a buffer overflow vulnerability that allows attackers to crash the service by supplying an excessively long string in the User domain field. Attackers can paste a malicious payload containing 7000 bytes of data into the domain configuration to trigger an application crash and deny service.
Title Core FTP/SFTP Server 1.2 Denial of Service via Buffer Overflow
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Coreftp Core Ftp Core Ftp/sftp Server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T14:51:41.003Z

Reserved: 2026-03-30T10:56:05.639Z

Link: CVE-2019-25654

cve-icon Vulnrichment

Updated: 2026-03-30T12:49:58.710Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T12:16:18.150

Modified: 2026-04-08T16:18:03.787

Link: CVE-2019-25654

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:38Z

Weaknesses