Skip to main content

bftpd CVE-2025-11947

LOW
Buffer Overflow (CWE-119)
2025-10-19 cna@vuldb.com
1.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.1 LOW
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 02:19 vuln.today

DescriptionCVE.org

A weakness has been identified in bftpd up to 6.2. Impacted is the function expand_groups of the file options.c of the component Configuration File Handler. Executing a manipulation can lead to heap-based buffer overflow. It is possible to launch the attack on the local host. Attacks of this nature are highly complex. The exploitability is considered difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Heap-based buffer overflow in bftpd up to version 6.2 within the expand_groups function of the configuration file handler allows local authenticated attackers to cause limited memory corruption with high attack complexity. Public exploit code is available, though the vulnerability requires local access and elevated privileges (PR:L), significantly limiting real-world exploitation potential compared to its CVSS score. The vendor did not respond to early disclosure.

Technical ContextAI

The vulnerability exists in the expand_groups function within options.c, a component responsible for parsing and processing configuration file directives in bftpd. The flaw is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), indicating the function fails to validate buffer boundaries when processing group expansion directives. This typically occurs when configuration parsing routines allocate fixed-size buffers on the heap without proper length checking, allowing crafted configuration entries to write beyond allocated memory. The local attack vector and high complexity suggest the exploit requires careful manipulation of configuration files and likely depends on specific memory layout conditions or race conditions.

Affected ProductsAI

bftpd versions up to and including 6.2 are affected. The vulnerable component is the expand_groups function within options.c of the configuration file handler. No CPE string was provided in references; affected installations would typically match cpe:*:*:bftpd:*:*:*:*:*:*. The vendor (bftpd maintainers) did not respond to disclosure, suggesting no official patch or patched version has been released.

RemediationAI

No vendor-released patch identified at time of analysis; the vendor did not respond to early disclosure. Immediate remediation is limited to environment-level controls: (1) Restrict local system access to trusted administrators only - this eliminates the PR:L prerequisite for exploitation. (2) Enforce strict file permissions on bftpd configuration files (e.g., 0600 or 0400) to prevent unauthorized modification by local accounts. (3) Disable or remove bftpd if it is not actively used; if FTP service is required, migrate to maintained alternatives such as vsftpd (actively patched) or Pure-FTPd. (4) If bftpd must remain in use, monitor configuration file modifications via file integrity monitoring (FIM) tools to detect tampering attempts. (5) Run bftpd in a sandboxed or containerized environment with minimal privileges and restricted filesystem access to limit blast radius of heap corruption. Note: Given the vendor's non-responsiveness and the vulnerability's age, long-term solution should prioritize migration away from bftpd to supported FTP daemons.

Share

CVE-2025-11947 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy