Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was found in FreeFloat FTP Server 1.0 and classified as critical. This issue affects some unknown processing of the component PROGRESS Command Handler. The manipulation leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Critical buffer overflow vulnerability in the PROGRESS Command Handler of FreeFloat FTP Server 1.0 that allows unauthenticated remote attackers to achieve partial confidentiality, integrity, and availability impacts. The vulnerability affects FreeFloat FTP Server version 1.0 specifically, with a disclosed proof-of-concept exploit available in the public domain, indicating active interest in weaponization.
Technical ContextAI
FreeFloat FTP Server 1.0 contains a buffer overflow (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer) in its PROGRESS command handler component. This legacy FTP server implementation lacks proper input validation and bounds checking on command parameters, allowing attackers to write beyond allocated buffer boundaries. FreeFloat FTP Server is a standalone FTP daemon that implements RFC 959 FTP protocol handling. The PROGRESS command, likely a non-standard extension or undocumented feature, processes user-supplied data without adequate length verification, creating a classic stack or heap-based buffer overflow condition. The vulnerability is in the command parsing layer before protocol validation, making it trivially exploitable via direct FTP socket communication.
RemediationAI
Primary Mitigation: Immediate Decommissioning; description: FreeFloat FTP Server 1.0 is legacy software with no active vendor support. Organizations should migrate to modern, actively maintained FTP/SFTP solutions immediately. No official patches are expected. Temporary Mitigation: Network Segmentation; description: If immediate migration is impossible, restrict FTP port access (typically TCP 21) to trusted internal networks only. Implement firewall rules to deny external access. Temporary Mitigation: IDS/IPS Signatures; description: Deploy network intrusion detection signatures targeting buffer overflow attempts in PROGRESS command handlers. Monitor for anomalously long PROGRESS command parameters. Temporary Mitigation: Run-time Protection; description: Deploy Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) on systems running FreeFloat to reduce exploitation reliability. Long-term: Transition to Modern FTP Software; description: Migrate to maintained alternatives: vsftpd (Linux), ProFTPD, Pure-FTPd, or prefer SFTP/SSH File Transfer entirely.
More in Freefloat Ftp Server
View allA stack-based buffer overflow vulnerability exists in FreeFloat FTP Server version 1.0.0. Rated medium severity (CVSS 6.
FreeFloat FTP Server contains multiple critical design flaws that allow unauthenticated remote attackers to upload arbit
Stack-based buffer overflow in FreeFloat FTP Server 1.0 allows remote authenticated users to execute arbitrary code via
Critical buffer overflow vulnerability in the NOOP Command Handler of FreeFloat FTP Server 1.0 that allows remote, unaut
A vulnerability was found in FreeFloat FTP Server 1.0 and classified as problematic. Rated high severity (CVSS 7.5), thi
Critical buffer overflow vulnerability in FreeFloat FTP Server 1.0's REIN Command Handler that allows unauthenticated re
Critical buffer overflow vulnerability in the XMKD Command Handler of FreeFloat FTP Server 1.0 that allows unauthenticat
Critical buffer overflow vulnerability in the XCWD Command Handler of FreeFloat FTP Server 1.0 that allows unauthenticat
Critical buffer overflow vulnerability in the RESTART Command Handler of FreeFloat FTP Server 1.0 that allows unauthenti
Critical buffer overflow vulnerability in FreeFloat FTP Server 1.0 affecting the REGET command handler, allowing unauthe
Critical buffer overflow vulnerability in the SET Command Handler of FreeFloat FTP Server 1.0 that allows unauthenticate
Critical buffer overflow vulnerability in the HOST Command Handler of FreeFloat FTP Server 1.0 that allows unauthenticat
Same weakness CWE-119 – Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-16900