Skip to main content

TRENDnet TPL-430AP CVE-2025-44651

HIGH
Uncontrolled Resource Consumption (CWE-400)
2025-07-21 cve@mitre.org
7.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-facing FTP daemon with no connection cap is floodable unauthenticated at low complexity (AV:N/AC:L/PR:N/UI:N); impact is availability-only, so C:N/I:N/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 01:34 vuln.today

DescriptionCVE.org

In TRENDnet TPL-430AP FW1.0, the USERLIMIT_GLOBAL option is set to 0 in the bftpd-related configuration file. This can cause DoS attacks when unlimited users are connected.

AnalysisAI

Uncontrolled resource consumption in the TRENDnet TPL-430AP powerline access point (firmware FW1.0) stems from its bundled bftpd FTP daemon shipping with USERLIMIT_GLOBAL=0, which imposes no cap on concurrent connections. A remote attacker can open unlimited simultaneous FTP sessions to exhaust device memory and connection resources, rendering the access point unresponsive (availability-only impact, no data compromise). No public exploit code has been confirmed, though a researcher gist and writeup describing the issue exist; EPSS risk is modest at 0.52% and the CVE is not listed in CISA KEV.

Technical ContextAI

The affected component is bftpd, a lightweight open-source FTP server commonly embedded in resource-constrained networking appliances, running on the TPL-430AP (a HomePlug/powerline Wi-Fi access point). bftpd's behavior is governed by a text configuration file, and the USERLIMIT_GLOBAL directive is meant to bound the total number of concurrent client sessions the daemon will service. On this firmware it is set to 0, which bftpd interprets as 'no limit.' The root cause maps to CWE-400 (Uncontrolled Resource Consumption): because no ceiling is enforced, each inbound connection consumes memory, file descriptors, and process/thread resources without bound. The CPE cpe:2.3:o:trendnet:tpl-430ap_firmware:1.0 scopes the flaw specifically to the FW1.0 operating-system/firmware level of this single device model.

RemediationAI

No vendor-released patch is identified at time of analysis, and no fixed firmware version is cited in the available data, so a version-specific upgrade cannot yet be recommended - monitor TRENDnet's support pages for a FW1.0-successor release. As concrete compensating controls: disable the bftpd FTP service entirely if it is not required for device operation (eliminates the attack surface at the cost of losing any FTP-based file access); if the service must run, correct the root cause by editing the bftpd configuration to set USERLIMIT_GLOBAL to a small finite value (e.g. a handful of sessions) and, if supported, a per-host connection limit, which bounds resource use but may reject legitimate concurrent transfers under load; and restrict network reachability by blocking inbound TCP/21 to the device at the LAN/perimeter firewall and permitting FTP only from trusted management hosts, which prevents flooding from untrusted sources but requires the device not be internet-exposed. Reference material: the researcher gist (https://gist.github.com/TPCchecker/9e27534ec59babcd4fd44d18fe7a56b3) and Notion writeup (https://www.notion.so/CVE-2025-44651-24754a1113e780da990eec3961100ae0).

Share

CVE-2025-44651 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy