Cyber Resilience

CVE-2020-36964

HighPublic PoC

Published: 28 January 2026

Published
28 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0040 31.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-36964 is a high-severity Out-of-bounds Write (CWE-787) vulnerability. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2020-36964 is a denial of service vulnerability in YATinyWinFTP, caused by a buffer overflow (CWE-787). The flaw affects the FTP service within this software, where attackers can trigger a crash by connecting and sending a malformed command consisting of a 272-byte buffer followed by a trailing space.

The vulnerability can be exploited by remote attackers with no privileges required, no user interaction, and low complexity, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation leads to a buffer overflow that crashes the FTP service, resulting in denial of service for legitimate users.

Advisories and related resources include the YATinyWinFTP GitHub repository at https://github.com/ik80/YATinyWinFTP, an entry on Exploit-DB at https://www.exploit-db.com/exploits/49127, and a Vulncheck advisory at https://www.vulncheck.com/advisories/yatinywinftp-denial-of-service. No patches or specific mitigations are detailed in the available information.

EU & UK References

Vulnerability details

YATinyWinFTP contains a denial of service vulnerability that allows attackers to crash the FTP service by sending a 272-byte buffer with a trailing space. Attackers can exploit the service by connecting and sending a malformed command that triggers a buffer…

more

overflow and service crash.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated buffer overflow in public-facing FTP service directly enables exploitation of an internet-facing application for denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-27807Shared CWE-787
CVE-2024-48856Shared CWE-787
CVE-2025-14234Shared CWE-787
CVE-2018-25223Shared CWE-787
CVE-2018-25154Shared CWE-787
CVE-2024-57704Shared CWE-787
CVE-2025-29384Shared CWE-787
CVE-2024-12648Shared CWE-787
CVE-2025-30276Shared CWE-787
CVE-2025-25746Shared CWE-787

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates FTP command inputs for length and format to prevent buffer overflows from malformed 272-byte buffers with trailing spaces.

prevent

Limits effects of denial-of-service events like service crashes triggered by buffer overflow exploits.

prevent

Remediates the specific buffer overflow flaw in YATinyWinFTP through timely patching or replacement.

References