CVE-2019-25332
Published: 12 February 2026
Summary
CVE-2019-25332 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Internet Soft (inferred from references). Its CVSS base score is 8.4 (High).
Operationally, ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-16 implements memory protections like DEP, ASLR, and stack canaries that directly prevent exploitation of stack overflows for EIP overwrite and arbitrary code execution.
SI-10 requires validation of information inputs to block oversized payloads like the 4108-byte malicious input that triggers the buffer overflow.
SI-2 mandates timely flaw remediation, such as patching or removing vulnerable legacy software like FTP Commander Pro 8.03.
NVD Description
FTP Commander Pro 8.03 contains a local stack overflow vulnerability that allows attackers to execute arbitrary code by overwriting the EIP register through a custom command input. Attackers can craft a malicious payload of 4108 bytes to overwrite memory and…
more
execute shellcode, demonstrating remote code execution potential.
Deeper analysisAI
CVE-2019-25332 is a local stack overflow vulnerability in FTP Commander Pro version 8.03. The issue arises from a custom command input that allows attackers to overwrite the EIP register, enabling arbitrary code execution. Attackers can craft a malicious payload of 4108 bytes to overwrite memory and execute shellcode.
The vulnerability can be exploited by local attackers requiring low complexity, no privileges, and no user interaction, as indicated by its CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation grants high impacts on confidentiality, integrity, and availability, allowing attackers to achieve remote code execution potential through shellcode deployment. It is associated with CWE-121 (Stack-based Buffer Overflow).
Advisories and references, including the vendor site at http://www.internet-soft.com/, Exploit-DB proof-of-concepts at https://www.exploit-db.com/exploits/37810 and https://www.exploit-db.com/exploits/47775, and a VulnCheck advisory at https://www.vulncheck.com/advisories/ftp-commander-pro-local-stack-overflow, document the vulnerability and provide exploit details. No specific patch or mitigation steps are outlined in the CVE description.
Publicly available proof-of-concept exploits on Exploit-DB highlight real-world exploitability for this legacy FTP client software. The CVE was published on 2026-02-12.
Details
- CWE(s)