CVE-2019-25614

CriticalPublic PoC

Published: 22 March 2026

Published

22 March 2026

Modified

23 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0082 74.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Free Float FTP 1.0 contains a buffer overflow vulnerability in the STOR command handler that allows remote attackers to execute arbitrary code by sending a crafted STOR request with an oversized payload. Attackers can authenticate with anonymous credentials and send…

a malicious STOR command containing 247 bytes of padding followed by a return address and shellcode to trigger code execution on the FTP server.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates identification, reporting, and correction of the buffer overflow flaw in the STOR command handler to eliminate the vulnerability.

SI-10 Information Input Validation good match

prevent

Requires validation of STOR command payloads to reject oversized inputs that trigger the buffer overflow.

SI-16 Memory Protection good match

prevent

Enforces memory protections such as ASLR and DEP to prevent arbitrary code execution from successful buffer overflows.

Security SummaryAI

Free Float FTP version 1.0 contains a buffer overflow vulnerability (CWE-787) in its STOR command handler. This flaw allows remote attackers to execute arbitrary code by sending a specially crafted STOR request with an oversized payload. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its critical severity due to high confidentiality, integrity, and availability impacts.

Remote attackers can exploit this vulnerability over the network without authentication privileges beyond anonymous FTP credentials. By crafting a malicious STOR command—consisting of 247 bytes of padding followed by a return address and shellcode—they can trigger the buffer overflow, leading to arbitrary code execution on the FTP server. No user interaction is required, making it highly exploitable in default configurations.

Advisories and references, including the Vulncheck advisory on the Free Float FTP STOR command remote buffer overflow and an Exploit-DB entry (46763) with a public proof-of-concept, provide technical details but do not specify official patches. The original software download is available from the vendor site.

A public exploit is documented on Exploit-DB, indicating potential for real-world attacks against unpatched instances of this legacy FTP server.

Details

CWE(s): CWE-787

Affected Products

freefloat

freefloat ftp server

1.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Buffer overflow in FTP server's STOR command enables remote unauthenticated arbitrary code execution on a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

http://www.freefloat.com/software/freefloatftpserver.zip
Broken Link · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/46763
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/free-float-ftp-stor-command-remote-buffer-overflow
Third Party Advisory · disclosure@vulncheck.com