Skip to main content

H3C GR2200 CVE-2025-44653

HIGH
Uncontrolled Resource Consumption (CWE-400)
2025-07-21 cve@mitre.org
7.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-reachable FTP flood with low complexity and no auth or interaction; impact is availability-only, so C:N/I:N/A:H, matching a resource-exhaustion DoS.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
CVE Published
Jul 05, 2026 - 02:08 cve.org
HIGH 7.5
Analysis Generated
Jul 05, 2026 - 01:39 vuln.today

DescriptionCVE.org

In H3C GR2200 MiniGR1A0V100R016, the USERLIMIT_GLOBAL option is set to 0 in the /etc/bftpd.conf. This can cause DoS attacks when unlimited users are connected.

AnalysisAI

Availability disruption in the H3C GR2200 router (firmware MiniGR1A0V100R016) arises because its bundled bftpd FTP daemon ships with USERLIMIT_GLOBAL set to 0 in /etc/bftpd.conf, imposing no ceiling on concurrent FTP sessions. Remote attackers can open large numbers of simultaneous connections to exhaust device sockets, memory, and CPU, degrading or crashing the FTP service and potentially the router itself. A public technical writeup exists and EPSS is modest (0.52%, 40th percentile); there is no public exploit identified beyond that writeup and no evidence of active exploitation (not listed in CISA KEV).

Technical ContextAI

The affected component is bftpd, a lightweight open-source FTP server commonly embedded in Linux-based networking appliances, running on the H3C GR2200 (firmware image MiniGR1A0V100R016), identified by CPE cpe:2.3:o:h3c:gr2200_firmware:minigr1a0v100r016. bftpd exposes a USERLIMIT_GLOBAL configuration directive that caps the total number of concurrent client connections the daemon will service; a value of 0 disables the limit entirely. The root cause maps to CWE-400 (Uncontrolled Resource Consumption): without a global connection ceiling, each new FTP session consumes finite resources (file descriptors, worker processes/threads, memory) with no upper bound, so a flood of connections drives the system past its capacity. This is a configuration-hardening weakness in the shipped default config rather than a memory-corruption bug in the FTP protocol parser.

RemediationAI

No vendor-released patch identified at time of analysis; no fixed firmware version is cited in the available data, so check H3C's security advisories for GR2200 firmware updates superseding MiniGR1A0V100R016. The most direct compensating control is to edit /etc/bftpd.conf and set USERLIMIT_GLOBAL to a sane non-zero maximum (and consider USERLIMIT per-IP if supported) to cap concurrent sessions, accepting the trade-off that legitimate users beyond the limit are refused. If FTP is not required, disable the bftpd service entirely to remove the attack surface. Where FTP must remain, restrict reachability by firewalling TCP/21 to trusted management subnets or an allowlist of admin hosts and enforce per-source connection-rate limiting on the router's firewall, noting this blocks untrusted networks from any FTP use. Refer to the third-party technical writeups at the referenced gist and Notion pages for reproduction details until an official advisory is published.

Share

CVE-2025-44653 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy