Cyber Resilience

CVE-2019-25614

CriticalPublic PoC

Published: 22 March 2026

Published
22 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0095 56.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2019-25614 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Freefloat Freefloat Ftp Server. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

Free Float FTP version 1.0 contains a buffer overflow vulnerability (CWE-787) in its STOR command handler. This flaw allows remote attackers to execute arbitrary code by sending a specially crafted STOR request with an oversized payload. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its critical severity due to high confidentiality, integrity, and availability impacts.

Remote attackers can exploit this vulnerability over the network without authentication privileges beyond anonymous FTP credentials. By crafting a malicious STOR command—consisting of 247 bytes of padding followed by a return address and shellcode—they can trigger the buffer overflow, leading to arbitrary code execution on the FTP server. No user interaction is required, making it highly exploitable in default configurations.

Advisories and references, including the Vulncheck advisory on the Free Float FTP STOR command remote buffer overflow and an Exploit-DB entry (46763) with a public proof-of-concept, provide technical details but do not specify official patches. The original software download is available from the vendor site.

A public exploit is documented on Exploit-DB, indicating potential for real-world attacks against unpatched instances of this legacy FTP server.

EU & UK References

Vulnerability details

Free Float FTP 1.0 contains a buffer overflow vulnerability in the STOR command handler that allows remote attackers to execute arbitrary code by sending a crafted STOR request with an oversized payload. Attackers can authenticate with anonymous credentials and send…

more

a malicious STOR command containing 247 bytes of padding followed by a return address and shellcode to trigger code execution on the FTP server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Buffer overflow in FTP server's STOR command enables remote unauthenticated arbitrary code execution on a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2012-10023Same product: Freefloat Freefloat Ftp Server
CVE-2012-10030Same product: Freefloat Freefloat Ftp Server
CVE-2025-27807Shared CWE-787
CVE-2024-48856Shared CWE-787
CVE-2025-14234Shared CWE-787
CVE-2018-25223Shared CWE-787
CVE-2018-25154Shared CWE-787
CVE-2024-57704Shared CWE-787
CVE-2025-29384Shared CWE-787
CVE-2024-12648Shared CWE-787

Affected Assets

freefloat
freefloat ftp server
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates identification, reporting, and correction of the buffer overflow flaw in the STOR command handler to eliminate the vulnerability.

prevent

Requires validation of STOR command payloads to reject oversized inputs that trigger the buffer overflow.

prevent

Enforces memory protections such as ASLR and DEP to prevent arbitrary code execution from successful buffer overflows.

References