What is the CVSS score of EUVD-2025-16799?

EUVD-2025-16799 has a CVSS 3.1 base score of 7.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. EPSS exploitation probability: 0.2%.

Which versions of Freefloat Ftp Server are affected by EUVD-2025-16799?

FreeFloat FTP Server 1.0 contains a critical buffer overflow vulnerability (CVE-2025-5550) that allows remote attackers to execute arbitrary code.

Is there a public PoC exploit available for EUVD-2025-16799?

Yes, a public proof-of-concept exploit is available for EUVD-2025-16799. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate EUVD-2025-16799?

Within 24 hours: Identify all systems running FreeFloat FTP Server 1.0 and isolate them from untrusted networks or disable FTP services if not business-critical. Within 7 days: Migrate to an alternative, actively maintained FTP server solution (e.g., vsftpd, ProFTPD with current patches) or implement network-level access controls restricting FTP connections to authorized IP ranges only. Within 30 days: Complete migration off FreeFloat FTP Server 1.0 and decommission all instances; validate that no legacy dependencies remain.

Freefloat Ftp Server EUVD-2025-16799

| CVE-2025-5550 HIGH

Buffer Overflow (CWE-119)

2025-06-04 cna@vuldb.com

Buffer Overflow Freefloat Ftp Server

7.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 17:29 euvd

EUVD-2025-16799

Analysis Generated

Mar 14, 2026 - 17:29 vuln.today

PoC Detected

Jun 24, 2025 - 15:21 vuln.today

Public exploit code

CVE Published

Jun 04, 2025 - 01:15 nvd

HIGH 7.3

DescriptionNVD

A vulnerability was found in FreeFloat FTP Server 1.0 and classified as critical. Affected by this issue is some unknown functionality of the component PBSZ Command Handler. The manipulation leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

Critical buffer overflow vulnerability in FreeFloat FTP Server 1.0's PBSZ Command Handler that allows unauthenticated remote attackers to cause denial of service and potentially achieve code execution with low integrity and confidentiality impact. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk; however, the CVSS 7.3 score reflects limited scope and partial confidentiality/integrity impact rather than complete system compromise.

Technical ContextAI

The vulnerability exists in the FTP protocol's PBSZ (Protection Buffer Size) command handler, a mechanism used to negotiate secure data channel parameters in FTP sessions (typically associated with AUTH TLS/SSL extensions per RFC 4217). CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) indicates insufficient input validation on the PBSZ parameter value, causing a classic stack or heap buffer overflow. The FTP protocol itself is inherently insecure and runs on port 21/TCP; the PBSZ command accepts an integer parameter specifying buffer size, which FreeFloat FTP Server 1.0 fails to properly bounds-check before copying to a fixed-size buffer. CPE identifier would be: cpe:2.3:a:freefloat:ftp_server:1.0:*:*:*:*:*:*:* (exact CPE from vendor if available; FreeFloat is a legacy Windows-based FTP server often deployed in legacy environments).

RemediationAI

Primary: Upgrade FreeFloat FTP Server to a patched version if vendor released one (contact FreeFloat/check vendor site for version 1.1+ or replacement); FreeFloat development is defunct/legacy, so patches may not be available—consider migration to maintained FTP server (vsftpd, ProFTPD, IIS FTP on modern Windows). Immediate mitigations: (1) Disable FTP entirely if not required; migrate to SFTP/SCP; (2) Restrict FTP port 21/TCP access via firewall to trusted internal networks only; (3) Run FTP service in a network-isolated or DMZ segment with no direct internet exposure; (4) Implement IDS/IPS rules detecting oversized PBSZ parameter values (e.g., PBSZ values >16MB or non-numeric input); (5) If upgrade path exists, apply immediately; (6) Monitor FTP logs for PBSZ command anomalies or connection drops. No vendor advisory link available; check archived security databases or vendor site directly.

EUVD-2025-16799 vulnerability details – vuln.today

Back