H3C GR2200 CVE-2025-44653
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable FTP flood with low complexity and no auth or interaction; impact is availability-only, so C:N/I:N/A:H, matching a resource-exhaustion DoS.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
In H3C GR2200 MiniGR1A0V100R016, the USERLIMIT_GLOBAL option is set to 0 in the /etc/bftpd.conf. This can cause DoS attacks when unlimited users are connected.
AnalysisAI
Availability disruption in the H3C GR2200 router (firmware MiniGR1A0V100R016) arises because its bundled bftpd FTP daemon ships with USERLIMIT_GLOBAL set to 0 in /etc/bftpd.conf, imposing no ceiling on concurrent FTP sessions. Remote attackers can open large numbers of simultaneous connections to exhaust device sockets, memory, and CPU, degrading or crashing the FTP service and potentially the router itself. A public technical writeup exists and EPSS is modest (0.52%, 40th percentile); there is no public exploit identified beyond that writeup and no evidence of active exploitation (not listed in CISA KEV).
Technical ContextAI
The affected component is bftpd, a lightweight open-source FTP server commonly embedded in Linux-based networking appliances, running on the H3C GR2200 (firmware image MiniGR1A0V100R016), identified by CPE cpe:2.3:o:h3c:gr2200_firmware:minigr1a0v100r016. bftpd exposes a USERLIMIT_GLOBAL configuration directive that caps the total number of concurrent client connections the daemon will service; a value of 0 disables the limit entirely. The root cause maps to CWE-400 (Uncontrolled Resource Consumption): without a global connection ceiling, each new FTP session consumes finite resources (file descriptors, worker processes/threads, memory) with no upper bound, so a flood of connections drives the system past its capacity. This is a configuration-hardening weakness in the shipped default config rather than a memory-corruption bug in the FTP protocol parser.
RemediationAI
No vendor-released patch identified at time of analysis; no fixed firmware version is cited in the available data, so check H3C's security advisories for GR2200 firmware updates superseding MiniGR1A0V100R016. The most direct compensating control is to edit /etc/bftpd.conf and set USERLIMIT_GLOBAL to a sane non-zero maximum (and consider USERLIMIT per-IP if supported) to cap concurrent sessions, accepting the trade-off that legitimate users beyond the limit are refused. If FTP is not required, disable the bftpd service entirely to remove the attack surface. Where FTP must remain, restrict reachability by firewalling TCP/21 to trusted management subnets or an allowlist of admin hosts and enforce per-source connection-rate limiting on the router's firewall, noting this blocks untrusted networks from any FTP use. Refer to the third-party technical writeups at the referenced gist and Notion pages for reproduction details until an official advisory is published.
More in Gr2200 Firmware
View allSame weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today