Skip to main content

Ftp EUVDEUVD-2025-16816

| CVE-2025-5549 HIGH
Buffer Overflow (CWE-119)
2025-06-04 cna@vuldb.com
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
EUVD ID Assigned
Mar 14, 2026 - 17:29 euvd
EUVD-2025-16816
Analysis Generated
Mar 14, 2026 - 17:29 vuln.today
PoC Detected
Jun 24, 2025 - 15:21 vuln.today
Public exploit code
CVE Published
Jun 04, 2025 - 01:15 nvd
HIGH 7.3

DescriptionCVE.org

A vulnerability has been found in FreeFloat FTP Server 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the component PASV Command Handler. The manipulation leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

Critical buffer overflow vulnerability in the PASV command handler of FreeFloat FTP Server 1.0 that allows unauthenticated remote attackers to cause denial of service and potentially achieve code execution with limited impact on confidentiality and integrity. The vulnerability has been publicly disclosed with exploit code available, making it immediately actionable for threat actors. While the CVSS score of 7.3 reflects moderate severity, the combination of remote exploitability, public POC availability, and lack of authentication requirements positions this as a high-priority remediation target.

Technical ContextAI

FreeFloat FTP Server 1.0 implements the File Transfer Protocol (FTP) with a vulnerable PASV (Passive Mode) command handler. The PASV command is a standard FTP mechanism that instructs the server to enter passive mode for data transfer, returning an IP address and port for the client to connect to. The vulnerability manifests as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), a classic buffer overflow condition where user-supplied input from the PASV command is insufficiently validated before being written to a fixed-size buffer. This allows an attacker to overflow the buffer, overwrite adjacent memory structures, and potentially redirect program execution flow. The affected product is specifically FreeFloat FTP Server version 1.0 (CPE: cpe:2.3:a:freefloat:freefloat_ftp_server:1.0:*:*:*:*:*:*:*), which appears to be a legacy or discontinued product with minimal community support.

RemediationAI

Immediate remediation steps: (1) Identify all systems running FreeFloat FTP Server 1.0 and prepare for decommissioning or upgrade; (2) Check the FreeFLOAT vendor website (www.freefloat.com) for available patches or security advisories—verify if version 1.0 is still supported; (3) If patched versions exist (1.1 or later), upgrade immediately; (4) If no patches are available, the product is likely end-of-life and should be replaced with a maintained FTP server alternative (e.g., vsftpd, ProFTPD, or Pure-FTPd with current security patches). Interim mitigation: (5) Restrict network access to the FTP service using firewall rules to allow only trusted internal networks or IP ranges; (6) Disable PASV mode if not required for operational use, configuring clients to use PORT mode only; (7) Run the FTP service in a sandboxed/containerized environment to limit buffer overflow impact. Given the legacy nature of this product, deprecation in favor of modern, actively-maintained alternatives is strongly recommended over extended mitigation efforts.

More in Ftp

View all
CVE-2025-47812 CRITICAL POC
10.0 Jul 10

Wing FTP Server before 7.4.4 contains a critical remote code execution vulnerability (CVE-2025-47812, CVSS 10.0) through

CVE-2025-5548 HIGH POC
7.3 Jun 04

Critical buffer overflow vulnerability in the NOOP Command Handler of FreeFloat FTP Server 1.0 that allows remote, unaut

CVE-2023-22551 HIGH POC
7.5 Jan 01

The FTP (aka "Implementation of a simple FTP client and server") project through 96c1a35 allows remote attackers to caus

CVE-2025-5637 HIGH POC
7.3 Jun 05

Critical buffer overflow vulnerability in PCMan FTP Server 2.0.7's SYSTEM Command Handler that allows unauthenticated re

CVE-2025-5636 HIGH POC
7.3 Jun 05

Critical buffer overflow vulnerability in the SET Command Handler of PCMan FTP Server 2.0.7 that allows remote attackers

CVE-2025-5635 HIGH POC
7.3 Jun 05

Critical buffer overflow vulnerability in PCMan FTP Server 2.0.7 affecting the PLS Command Handler component. Remote att

CVE-2025-5634 HIGH POC
7.3 Jun 05

A buffer overflow vulnerability in A vulnerability classified as critical (CVSS 7.3). Risk factors: public PoC available

CVE-2025-5593 HIGH POC
7.3 Jun 04

Critical buffer overflow vulnerability in the HOST Command Handler of FreeFloat FTP Server 1.0 that allows unauthenticat

CVE-2025-5551 HIGH POC
7.3 Jun 04

Critical buffer overflow vulnerability in FreeFloat FTP Server 1.0's SYSTEM Command Handler that allows unauthenticated

CVE-2025-68206
Dec 16

Linux kernel netfilter FTP NAT helper fails to properly initialize sequence adjustment extensions when connection tracki

Share

EUVD-2025-16816 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy