CVE-2025-5636

| EUVD-2025-16966 HIGH
2025-06-05 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
EUVD ID Assigned
Mar 14, 2026 - 17:53 euvd
EUVD-2025-16966
Analysis Generated
Mar 14, 2026 - 17:53 vuln.today
PoC Detected
Jun 24, 2025 - 15:49 vuln.today
Public exploit code
CVE Published
Jun 05, 2025 - 05:15 nvd
HIGH 7.3

Tags

Buffer Overflow Ftp Denial Of Service Ftp Server

Description

A vulnerability, which was classified as critical, has been found in PCMan FTP Server 2.0.7. This issue affects some unknown processing of the component SET Command Handler. The manipulation leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Analysis

Critical buffer overflow vulnerability in the SET Command Handler of PCMan FTP Server 2.0.7 that allows remote attackers to cause denial of service and potentially execute arbitrary code with no authentication required. The vulnerability has been publicly disclosed with exploit code available, making it an active threat to unpatched FTP server deployments. With a CVSS score of 7.3 and low attack complexity, this vulnerability represents a significant risk to organizations running vulnerable versions.

Technical Context

PCMan FTP Server is a lightweight FTP server implementation commonly used in embedded systems and Windows environments. The vulnerability resides in the SET command handler component, which processes FTP protocol commands. CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) indicates that the SET command fails to properly validate input length before writing to a fixed-size buffer, resulting in a classic stack-based or heap-based buffer overflow. When a user sends a specially crafted SET command with an oversized argument, the server writes beyond buffer boundaries, corrupting adjacent memory. This occurs during FTP command parsing, which is executed with server privileges and network-accessible, making remote exploitation trivial. The FTP protocol specification does not inherently limit SET command argument lengths, placing responsibility on server implementations to enforce proper bounds checking.

Affected Products

PCMan FTP Server (['2.0.7'])

Remediation

Upgrade PCMan FTP Server to the latest available version (vendor should release a patched version; check https://www.pcmanftpserver.com or official repository) Workaround: Disable the SET command in FTP server configuration if possible, or restrict SET command usage to authenticated users only Network Mitigation: Implement FTP firewall rules to restrict FTP access to trusted networks only; disable FTP on internet-facing systems and use SFTP/SCP instead Detection: Monitor FTP server logs for abnormally long SET command arguments; implement IDS/IPS rules to block oversized FTP SET commands Alternative: Replace PCMan FTP Server with actively maintained alternatives such as FileZilla Server, ProFTPD, or vsftpd with regular security updates

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +36
POC: +20

Share

CVE-2025-5636 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy