Ftp
Monthly
Hard-coded credentials embedded in Klinika XP and KlinikaXP Insertino applications allow unauthorized attackers to gain access to internal services, most critically the FTP server hosting application update packages. An attacker exploiting these credentials could upload malicious update files that would be distributed to client machines as legitimate updates, enabling supply-chain compromise and widespread system compromise. The vulnerability affects KlinikaXP versions before 5.39.01.01 and KlinikaXP Insertino versions before 3.1.0.1; no CVSS score, EPSS data, or active KEV status is currently available, but the attack complexity is low and requires no privileges, making this a high-priority issue despite the missing CVSS assessment.
A security vulnerability in A vulnerability (CVSS 6.3). Risk factors: public PoC available.
Linux kernel netfilter FTP NAT helper fails to properly initialize sequence adjustment extensions when connection tracking helper assignment occurs after NAT rule processing, causing FTP PASV/EPSV mode transfers to fail with connection drops and kernel warnings. This affects systems running vulnerable kernel versions that perform NAT operations on FTP control connections (port 21) combined with FTP helper assignment in reverse rule order; the low EPSS score (0.03%, percentile 9%) and lack of active exploitation indicators suggest limited practical exploitability, though the defect prevents legitimate FTP functionality in specific network topologies.
Wing FTP Server before 7.4.4 contains a critical remote code execution vulnerability (CVE-2025-47812, CVSS 10.0) through null byte injection in user/admin web interfaces that enables arbitrary Lua code execution in session files. With EPSS 92.7% and KEV listing, this vulnerability guarantees unauthenticated root/SYSTEM code execution on affected servers, as the FTP service runs with maximum privileges by default.
Critical buffer overflow vulnerability in PCMan FTP Server 2.0.7's SYSTEM Command Handler that allows unauthenticated remote attackers to cause denial of service and potentially execute arbitrary code with limited impact on confidentiality and integrity. The vulnerability has been publicly disclosed with exploit code available, making it actively exploitable in the wild against unpatched systems.
Critical buffer overflow vulnerability in the SET Command Handler of PCMan FTP Server 2.0.7 that allows remote attackers to cause denial of service and potentially execute arbitrary code with no authentication required. The vulnerability has been publicly disclosed with exploit code available, making it an active threat to unpatched FTP server deployments. With a CVSS score of 7.3 and low attack complexity, this vulnerability represents a significant risk to organizations running vulnerable versions.
Critical buffer overflow vulnerability in PCMan FTP Server 2.0.7 affecting the PLS Command Handler component. Remote attackers can exploit this flaw without authentication or user interaction to achieve confidentiality, integrity, and availability impacts. Public exploit code is available and the vulnerability may be actively exploited in the wild.
A buffer overflow vulnerability in A vulnerability classified as critical (CVSS 7.3). Risk factors: public PoC available.
Critical buffer overflow vulnerability in the HOST Command Handler of FreeFloat FTP Server 1.0 that allows unauthenticated remote attackers to trigger a denial of service or potentially achieve code execution. The vulnerability has a disclosed public exploit and may be actively exploited in the wild. With a CVSS score of 7.3 and network-accessible attack vector, this poses significant risk to any organization running the affected FTP server without immediate patching.
Critical buffer overflow vulnerability in FreeFloat FTP Server 1.0's SYSTEM Command Handler that allows unauthenticated remote attackers to achieve information disclosure, integrity violation, and service disruption. The vulnerability has been publicly disclosed with exploit code available, making it actively exploitable in real-world environments without requiring user interaction or elevated privileges.
Critical buffer overflow vulnerability in the PASV command handler of FreeFloat FTP Server 1.0 that allows unauthenticated remote attackers to cause denial of service and potentially achieve code execution with limited impact on confidentiality and integrity. The vulnerability has been publicly disclosed with exploit code available, making it immediately actionable for threat actors. While the CVSS score of 7.3 reflects moderate severity, the combination of remote exploitability, public POC availability, and lack of authentication requirements positions this as a high-priority remediation target.
Critical buffer overflow vulnerability in the NOOP Command Handler of FreeFloat FTP Server 1.0 that allows remote, unauthenticated attackers to achieve arbitrary code execution or cause denial of service. The vulnerability has been publicly disclosed with working exploits available, and while the CVSS score of 7.3 indicates moderate severity, the combination of remote exploitability, lack of authentication requirements, and confirmed public disclosure elevates real-world risk significantly.
Hard-coded credentials embedded in Klinika XP and KlinikaXP Insertino applications allow unauthorized attackers to gain access to internal services, most critically the FTP server hosting application update packages. An attacker exploiting these credentials could upload malicious update files that would be distributed to client machines as legitimate updates, enabling supply-chain compromise and widespread system compromise. The vulnerability affects KlinikaXP versions before 5.39.01.01 and KlinikaXP Insertino versions before 3.1.0.1; no CVSS score, EPSS data, or active KEV status is currently available, but the attack complexity is low and requires no privileges, making this a high-priority issue despite the missing CVSS assessment.
A security vulnerability in A vulnerability (CVSS 6.3). Risk factors: public PoC available.
Linux kernel netfilter FTP NAT helper fails to properly initialize sequence adjustment extensions when connection tracking helper assignment occurs after NAT rule processing, causing FTP PASV/EPSV mode transfers to fail with connection drops and kernel warnings. This affects systems running vulnerable kernel versions that perform NAT operations on FTP control connections (port 21) combined with FTP helper assignment in reverse rule order; the low EPSS score (0.03%, percentile 9%) and lack of active exploitation indicators suggest limited practical exploitability, though the defect prevents legitimate FTP functionality in specific network topologies.
Wing FTP Server before 7.4.4 contains a critical remote code execution vulnerability (CVE-2025-47812, CVSS 10.0) through null byte injection in user/admin web interfaces that enables arbitrary Lua code execution in session files. With EPSS 92.7% and KEV listing, this vulnerability guarantees unauthenticated root/SYSTEM code execution on affected servers, as the FTP service runs with maximum privileges by default.
Critical buffer overflow vulnerability in PCMan FTP Server 2.0.7's SYSTEM Command Handler that allows unauthenticated remote attackers to cause denial of service and potentially execute arbitrary code with limited impact on confidentiality and integrity. The vulnerability has been publicly disclosed with exploit code available, making it actively exploitable in the wild against unpatched systems.
Critical buffer overflow vulnerability in the SET Command Handler of PCMan FTP Server 2.0.7 that allows remote attackers to cause denial of service and potentially execute arbitrary code with no authentication required. The vulnerability has been publicly disclosed with exploit code available, making it an active threat to unpatched FTP server deployments. With a CVSS score of 7.3 and low attack complexity, this vulnerability represents a significant risk to organizations running vulnerable versions.
Critical buffer overflow vulnerability in PCMan FTP Server 2.0.7 affecting the PLS Command Handler component. Remote attackers can exploit this flaw without authentication or user interaction to achieve confidentiality, integrity, and availability impacts. Public exploit code is available and the vulnerability may be actively exploited in the wild.
A buffer overflow vulnerability in A vulnerability classified as critical (CVSS 7.3). Risk factors: public PoC available.
Critical buffer overflow vulnerability in the HOST Command Handler of FreeFloat FTP Server 1.0 that allows unauthenticated remote attackers to trigger a denial of service or potentially achieve code execution. The vulnerability has a disclosed public exploit and may be actively exploited in the wild. With a CVSS score of 7.3 and network-accessible attack vector, this poses significant risk to any organization running the affected FTP server without immediate patching.
Critical buffer overflow vulnerability in FreeFloat FTP Server 1.0's SYSTEM Command Handler that allows unauthenticated remote attackers to achieve information disclosure, integrity violation, and service disruption. The vulnerability has been publicly disclosed with exploit code available, making it actively exploitable in real-world environments without requiring user interaction or elevated privileges.
Critical buffer overflow vulnerability in the PASV command handler of FreeFloat FTP Server 1.0 that allows unauthenticated remote attackers to cause denial of service and potentially achieve code execution with limited impact on confidentiality and integrity. The vulnerability has been publicly disclosed with exploit code available, making it immediately actionable for threat actors. While the CVSS score of 7.3 reflects moderate severity, the combination of remote exploitability, public POC availability, and lack of authentication requirements positions this as a high-priority remediation target.
Critical buffer overflow vulnerability in the NOOP Command Handler of FreeFloat FTP Server 1.0 that allows remote, unauthenticated attackers to achieve arbitrary code execution or cause denial of service. The vulnerability has been publicly disclosed with working exploits available, and while the CVSS score of 7.3 indicates moderate severity, the combination of remote exploitability, lack of authentication requirements, and confirmed public disclosure elevates real-world risk significantly.