CVE-2025-5595

| EUVD-2025-16900 HIGH
2025-06-04 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 14, 2026 - 17:29 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 17:29 euvd
EUVD-2025-16900
PoC Detected
Jun 24, 2025 - 15:21 vuln.today
Public exploit code
CVE Published
Jun 04, 2025 - 17:15 nvd
HIGH 7.3

Tags

Buffer Overflow Freefloat Ftp Server

Description

A vulnerability was found in FreeFloat FTP Server 1.0 and classified as critical. This issue affects some unknown processing of the component PROGRESS Command Handler. The manipulation leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Analysis

Critical buffer overflow vulnerability in the PROGRESS Command Handler of FreeFloat FTP Server 1.0 that allows unauthenticated remote attackers to achieve partial confidentiality, integrity, and availability impacts. The vulnerability affects FreeFloat FTP Server version 1.0 specifically, with a disclosed proof-of-concept exploit available in the public domain, indicating active interest in weaponization.

Technical Context

FreeFloat FTP Server 1.0 contains a buffer overflow (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer) in its PROGRESS command handler component. This legacy FTP server implementation lacks proper input validation and bounds checking on command parameters, allowing attackers to write beyond allocated buffer boundaries. FreeFloat FTP Server is a standalone FTP daemon that implements RFC 959 FTP protocol handling. The PROGRESS command, likely a non-standard extension or undocumented feature, processes user-supplied data without adequate length verification, creating a classic stack or heap-based buffer overflow condition. The vulnerability is in the command parsing layer before protocol validation, making it trivially exploitable via direct FTP socket communication.

Affected Products

FreeFloat FTP Server (['1.0'])

Remediation

Primary Mitigation: Immediate Decommissioning; description: FreeFloat FTP Server 1.0 is legacy software with no active vendor support. Organizations should migrate to modern, actively maintained FTP/SFTP solutions immediately. No official patches are expected. Temporary Mitigation: Network Segmentation; description: If immediate migration is impossible, restrict FTP port access (typically TCP 21) to trusted internal networks only. Implement firewall rules to deny external access. Temporary Mitigation: IDS/IPS Signatures; description: Deploy network intrusion detection signatures targeting buffer overflow attempts in PROGRESS command handlers. Monitor for anomalously long PROGRESS command parameters. Temporary Mitigation: Run-time Protection; description: Deploy Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) on systems running FreeFloat to reduce exploitation reliability. Long-term: Transition to Modern FTP Software; description: Migrate to maintained alternatives: vsftpd (Linux), ProFTPD, Pure-FTPd, or prefer SFTP/SSH File Transfer entirely.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +36
POC: +20

Share

CVE-2025-5595 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy