Description
Core FTP 2.0 build 653 contains a denial of service vulnerability in the PBSZ command that allows unauthenticated attackers to crash the service by sending a malformed command with an oversized buffer. Attackers can send a PBSZ command with a payload exceeding 211 bytes to trigger an access violation and crash the FTP server process.
Published: 2026-04-05
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

Core FTP Server version 2.0 build 653 is vulnerable when an unauthenticated client sends an oversized PBSZ command. The malformed command, which exceeds 211 bytes, triggers an access violation that crashes the FTP server process. The crash results in a denial of service and disrupts the availability of the FTP service for all users, but does not directly compromise data confidentiality or integrity.

Affected Systems

The affected system is Core FTP Server version 2.0 build 653. No other versions or builds are mentioned as affected.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability that can be exploited over the network without authentication. Although the EPSS score is not provided and the vulnerability is not listed in CISA’s KEV catalog, the nature of the flaw allows attackers to cause a service crash by simply sending a crafted PBSZ request. Once an attacker succeeds, the FTP service becomes unavailable until the server is restarted or restarted manually, making this a critical issue for services that rely on high availability.

Generated by OpenCVE AI on April 5, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Core FTP Server to the latest release from coreftp.com
  • Restart the FTP service after applying the patch to ensure stability
  • If an immediate upgrade is not possible, temporarily block the FTP service from external traffic until the patch is applied

Generated by OpenCVE AI on April 5, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Core FTP 2.0 build 653 contains a denial of service vulnerability in the PBSZ command that allows unauthenticated attackers to crash the service by sending a malformed command with an oversized buffer. Attackers can send a PBSZ command with a payload exceeding 211 bytes to trigger an access violation and crash the FTP server process.
Title Core FTP 2.0 build 653 PBSZ Unauthenticated Denial of Service
First Time appeared Coreftp
Coreftp core Ftp
Weaknesses CWE-306
CPEs cpe:2.3:a:coreftp:core_ftp:2.0:build_653:*:*:*:*:*:*
Vendors & Products Coreftp
Coreftp core Ftp
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Coreftp Core Ftp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T15:43:16.572Z

Reserved: 2026-04-05T15:24:05.668Z

Link: CVE-2019-25686

cve-icon Vulnrichment

Updated: 2026-04-06T15:43:08.703Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-05T21:16:47.310

Modified: 2026-04-09T19:03:17.493

Link: CVE-2019-25686

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:48:23Z

Weaknesses