CVE-2019-25614

CriticalPublic PoC

Published: 22 March 2026

Published

22 March 2026

Modified

23 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0082 74.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25614 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Freefloat Freefloat Ftp Server. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates identification, reporting, and correction of the buffer overflow flaw in the STOR command handler to eliminate the vulnerability.

SI-10 Information Input Validation good match

prevent

Requires validation of STOR command payloads to reject oversized inputs that trigger the buffer overflow.

SI-16 Memory Protection good match

prevent

Enforces memory protections such as ASLR and DEP to prevent arbitrary code execution from successful buffer overflows.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Buffer overflow in FTP server's STOR command enables remote unauthenticated arbitrary code execution on a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Free Float FTP 1.0 contains a buffer overflow vulnerability in the STOR command handler that allows remote attackers to execute arbitrary code by sending a crafted STOR request with an oversized payload. Attackers can authenticate with anonymous credentials and send…

a malicious STOR command containing 247 bytes of padding followed by a return address and shellcode to trigger code execution on the FTP server.

Deeper analysisAI

Free Float FTP version 1.0 contains a buffer overflow vulnerability (CWE-787) in its STOR command handler. This flaw allows remote attackers to execute arbitrary code by sending a specially crafted STOR request with an oversized payload. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its critical severity due to high confidentiality, integrity, and availability impacts.

Remote attackers can exploit this vulnerability over the network without authentication privileges beyond anonymous FTP credentials. By crafting a malicious STOR command—consisting of 247 bytes of padding followed by a return address and shellcode—they can trigger the buffer overflow, leading to arbitrary code execution on the FTP server. No user interaction is required, making it highly exploitable in default configurations.

Advisories and references, including the Vulncheck advisory on the Free Float FTP STOR command remote buffer overflow and an Exploit-DB entry (46763) with a public proof-of-concept, provide technical details but do not specify official patches. The original software download is available from the vendor site.

A public exploit is documented on Exploit-DB, indicating potential for real-world attacks against unpatched instances of this legacy FTP server.