CVE-2018-7573 in FTPshell Client
Summary
by MITRE
An issue was discovered in FTPShell Client 6.7. A remote FTP server can send 400 characters of 'F' in conjunction with the FTP 220 response code to crash the application; after this overflow, one can run arbitrary code on the victim machine. This is similar to CVE-2009-3364 and CVE-2017-6465.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/24/2025
The vulnerability identified as CVE-2018-7573 represents a classic buffer overflow flaw in the FTPShell Client version 6.7 that demonstrates the persistent nature of remote code execution vulnerabilities in file transfer protocols. This issue arises from insufficient input validation within the client's handling of FTP server responses, specifically when processing the initial 220 response code that indicates the server is ready for connection. The flaw allows a malicious FTP server to craft a specially formatted response containing 400 consecutive 'F' characters, which when processed by the vulnerable client application triggers a stack-based buffer overflow condition. This type of vulnerability falls under the CWE-121 category of stack-based buffer overflow, where the attacker can overwrite adjacent memory locations including return addresses and control flow information.
The operational impact of this vulnerability extends beyond simple application crash, as it enables remote code execution capabilities that align with the ATT&CK technique T1059.1001 for command and scripting interpreter. When the buffer overflow occurs during the processing of the 220 response, the client application's execution flow becomes corrupted, allowing an attacker to potentially inject and execute arbitrary code on the victim machine with the privileges of the user running the FTPShell Client. This represents a critical security risk since it transforms a simple file transfer client into a potential attack vector for system compromise. The vulnerability's similarity to CVE-2009-3364 and CVE-2017-6465 demonstrates a recurring pattern in FTP client implementations where insufficient boundary checking in response parsing creates exploitable conditions.
The technical exploitation of this vulnerability requires the attacker to control or compromise an FTP server that communicates with the target system, making it a server-side attack vector that can be particularly insidious in environments where users connect to multiple FTP servers. The 400-character limit suggests the buffer in question has a relatively small capacity, making the overflow predictable and reliable. The memory corruption occurs during the initial connection phase when the client processes the server's welcome message, meaning that even legitimate connections to compromised servers could result in exploitation. This vulnerability type is particularly dangerous because it can be triggered without user interaction beyond initiating the connection, making it an ideal candidate for automated attacks and reconnaissance activities. Organizations should consider implementing network segmentation and firewall rules to limit FTP client access to trusted servers, while also ensuring that all FTP clients are updated to versions that properly validate and sanitize server responses. The vulnerability also highlights the importance of input validation in network protocol implementations and serves as a reminder that even seemingly benign protocols like FTP can contain critical security flaws when proper bounds checking is not implemented.