CVE-2025-5592

| EUVD-2025-16872 HIGH
2025-06-04 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 14, 2026 - 17:29 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 17:29 euvd
EUVD-2025-16872
PoC Detected
Jun 09, 2025 - 15:02 vuln.today
Public exploit code
CVE Published
Jun 04, 2025 - 14:15 nvd
HIGH 7.3

Tags

Buffer Overflow Ftp Server

Description

A vulnerability, which was classified as critical, has been found in FreeFloat FTP Server 1.0. Affected by this issue is some unknown functionality of the component PASSIVE Command Handler. The manipulation leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Analysis

Critical buffer overflow vulnerability in the PASSIVE Command Handler of FreeFloat FTP Server 1.0 that allows unauthenticated remote attackers to cause denial of service and potentially achieve code execution with limited impact on confidentiality and integrity. The vulnerability has been publicly disclosed with working exploits available, making it an active threat to any organization still running this legacy FTP server software.

Technical Context

FreeFloat FTP Server 1.0 contains an improper bounds checking vulnerability (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer) in the component handling the PASSIVE command of the FTP protocol (RFC 959). The PASSIVE command initiates passive mode transfers where the server listens for client connections. The buffer overflow occurs during the processing of PASSIVE command arguments or responses, likely in stack-allocated buffers that store connection parameters, IP addresses, or port information. This is a classic memory safety issue where insufficient input validation allows an attacker to write beyond allocated buffer boundaries, potentially corrupting the stack and overwriting return addresses or other critical data structures.

Affected Products

CPE: cpe:2.3:a:freefloat:freefloat_ftp_server:1.0:*:*:*:*:*:*:* (FreeFloat FTP Server version 1.0 and only this version explicitly mentioned). No patch versions or vendor advisory links provided in the source data. FreeFloat FTP Server is a legacy Windows FTP daemon from the 1990s-2000s era with minimal documentation. Affected configurations include any system running FreeFloat FTP Server 1.0 listening on network interfaces (default TCP port 21 for FTP control channel).

Remediation

Immediate mitigation steps: (1) DISCONTINUE USE: FreeFloat FTP Server 1.0 is ancient and unsupported; migrate to modern maintained FTP solutions (ProFTPD, vsftpd, IIS FTP on Windows) or preferably to SFTP/SSH solutions; (2) If migration is impossible short-term: implement network-level access controls restricting FTP connections to trusted IP ranges via firewall rules; disable PASSIVE mode if only ACTIVE mode is needed; (3) No patch exists for this legacy software—the vendor no longer supports FreeFloat FTP Server 1.0. Monitor vendor advisories at freefloat.com (if still operational); (4) Implement IDS/IPS signatures detecting oversized or malformed PASSIVE command payloads; (5) Run on systems with modern exploit mitigations (ASLR, DEP/NX, stack canaries) enabled to reduce exploitability even if buffer overflow occurs.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +36
POC: +20

Share

CVE-2025-5592 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy