Description
A stack-based buffer overflow vulnerability exists in the login functionality of Disk Pulse Enterprise version 9.0.34. An attacker can send a specially crafted HTTP POST request to the /login endpoint with an overly long username parameter, causing a buffer overflow in the libspp.dll component. Successful exploitation allows arbitrary code execution with SYSTEM privileges.
Published: 2025-07-15
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stack-based buffer overflow in Disk Pulse Enterprise 9.0.34 that is triggered by an excessively long username included in an HTTP POST to the /login endpoint. The overflow occurs in the libspp.dll component, allowing an attacker to overwrite control data and execute arbitrary code with SYSTEM privileges, creating a full compromise of the affected system.

Affected Systems

Falconstor Software’s Disk Pulse Enterprise version 9.0.34 is affected by this flaw; no other products or versions are explicitly listed.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity, while an EPSS of <1% points to a relatively low probability of exploitation in the wild. The attack vector is remote: the attacker only needs to send the crafted POST request over the network, with no local user privileges or pre‑existing access required. The vulnerability is not included in the CISA KEV catalog, but remote code execution at the SYSTEM level presents a severe risk to impacted installations.

Generated by OpenCVE AI on June 18, 2026 at 11:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Disk Pulse Enterprise to a version that fixes the buffer overflow.
  • Restrict network access to the /login endpoint by allowing only trusted IP ranges or internal hosts, using firewalls or ingress rules to block external exposure.
  • Add server‑side validation to the username field to enforce a maximum length and reject inputs that exceed this limit; as an additional safeguard, deploy a Web Application Firewall that blocks anomalous POST payloads.
  • Implement monitoring of login requests and apply rate limiting to mitigate automated exploitation attempts.

Generated by OpenCVE AI on June 18, 2026 at 11:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21435 A stack-based buffer overflow vulnerability exists in the login functionality of Disk Pulse Enterprise version 9.0.34. An attacker can send a specially crafted HTTP POST request to the /login endpoint with an overly long username parameter, causing a buffer overflow in the libspp.dll component. Successful exploitation allows arbitrary code execution with SYSTEM privileges.
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00204}

Tue, 15 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 15 Jul 2025 13:15:00 +0000

Type Values Removed Values Added
Description A stack-based buffer overflow vulnerability exists in the login functionality of Disk Pulse Enterprise version 9.0.34. An attacker can send a specially crafted HTTP POST request to the /login endpoint with an overly long username parameter, causing a buffer overflow in the libspp.dll component. Successful exploitation allows arbitrary code execution with SYSTEM privileges.
Title Disk Pulse Enterprise 9.0.34 Login Stack Buffer Overflow
Weaknesses CWE-121
CWE-20
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:09:35.626Z

Reserved: 2025-04-15T19:15:22.560Z

Link: CVE-2025-34108

cve-icon Vulnrichment

Updated: 2025-07-15T13:40:11.265Z

cve-icon NVD

Status : Deferred

Published: 2025-07-15T13:15:30.527

Modified: 2026-06-17T09:13:28.837

Link: CVE-2025-34108

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T11:45:15Z

Weaknesses
  • CWE-121

    Stack-based Buffer Overflow

  • CWE-20

    Improper Input Validation