CVE-2020-36964
Published: 28 January 2026
Summary
CVE-2020-36964 is a high-severity Out-of-bounds Write (CWE-787) vulnerability. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2020-36964 is a denial of service vulnerability in YATinyWinFTP, caused by a buffer overflow (CWE-787). The flaw affects the FTP service within this software, where attackers can trigger a crash by connecting and sending a malformed command consisting of a 272-byte buffer followed by a trailing space.
The vulnerability can be exploited by remote attackers with no privileges required, no user interaction, and low complexity, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation leads to a buffer overflow that crashes the FTP service, resulting in denial of service for legitimate users.
Advisories and related resources include the YATinyWinFTP GitHub repository at https://github.com/ik80/YATinyWinFTP, an entry on Exploit-DB at https://www.exploit-db.com/exploits/49127, and a Vulncheck advisory at https://www.vulncheck.com/advisories/yatinywinftp-denial-of-service. No patches or specific mitigations are detailed in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-30885
Vulnerability details
YATinyWinFTP contains a denial of service vulnerability that allows attackers to crash the FTP service by sending a 272-byte buffer with a trailing space. Attackers can exploit the service by connecting and sending a malformed command that triggers a buffer…
more
overflow and service crash.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated buffer overflow in public-facing FTP service directly enables exploitation of an internet-facing application for denial of service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates FTP command inputs for length and format to prevent buffer overflows from malformed 272-byte buffers with trailing spaces.
Limits effects of denial-of-service events like service crashes triggered by buffer overflow exploits.
Remediates the specific buffer overflow flaw in YATinyWinFTP through timely patching or replacement.