CVE-2019-25614 in Free Float FTP
Summary
by MITRE • 03/22/2026
Free Float FTP 1.0 contains a buffer overflow vulnerability in the STOR command handler that allows remote attackers to execute arbitrary code by sending a crafted STOR request with an oversized payload. Attackers can authenticate with anonymous credentials and send a malicious STOR command containing 247 bytes of padding followed by a return address and shellcode to trigger code execution on the FTP server.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/27/2026
The vulnerability identified as CVE-2019-25614 resides within Free Float FTP Server version 1.0, representing a critical buffer overflow flaw that fundamentally compromises the integrity and security of the affected system. This particular implementation suffers from inadequate input validation mechanisms within its STOR command handler, which processes file upload requests from remote clients. The flaw manifests when the server receives a specially crafted STOR command that exceeds the allocated buffer space, creating conditions ripe for exploitation through memory corruption techniques.
The technical exploitation mechanism leverages a classic stack-based buffer overflow approach where attackers construct malicious payloads that exceed the predefined buffer limits. Specifically, the attack requires sending a STOR command containing precisely 247 bytes of padding followed by a carefully constructed return address and shellcode. This methodology directly targets the server's memory layout and exploits the lack of proper bounds checking during command processing. The vulnerability operates at the application layer and requires no elevated privileges for initial access, as attackers can authenticate using anonymous credentials, making the attack surface particularly wide.
From an operational impact perspective, successful exploitation of this vulnerability enables remote attackers to execute arbitrary code with the privileges of the FTP server process, typically running with system-level permissions. This code execution capability allows adversaries to gain complete control over the affected server, potentially leading to data exfiltration, system compromise, or use as a launching point for further attacks within the network infrastructure. The vulnerability's remote exploitability eliminates the need for physical access or local network presence, making it particularly dangerous for publicly accessible FTP servers.
The flaw aligns with CWE-121, which categorizes stack-based buffer overflow conditions, and demonstrates characteristics consistent with ATT&CK technique T1190, specifically exploitation for execution through the manipulation of input validation controls. Organizations utilizing Free Float FTP Server version 1.0 should immediately implement mitigations including software updates from the vendor, network segmentation, and firewall rules restricting FTP access to trusted networks only. Additionally, implementing intrusion detection systems capable of identifying anomalous STOR command patterns and monitoring for suspicious payload sizes can provide early warning capabilities. The vulnerability underscores the importance of proper input validation and buffer management practices in network services, particularly those handling user-supplied data in server applications.