CVE-2020-37122
Published: 07 February 2026
Summary
CVE-2020-37122 is a medium-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Nsauditor (inferred from references). Its CVSS base score is 6.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2020-37122 is a denial of service vulnerability in SpotFTP-FTP Password Recover version 2.4.8, stemming from a buffer overflow classified under CWE-121. The flaw allows attackers to crash the application by supplying a specially crafted registration code, such as a text file containing 1000 'Z' characters. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for high availability impact without confidentiality or integrity effects.
Attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges, authentication, or user interaction. Successful exploitation results in application denial of service through crashing, rendering the software unavailable.
References include vendor pages at nsauditor.com and nsauditor.com/spotftp.html, an Exploit-DB proof-of-concept at exploit-db.com/exploits/48132 demonstrating the crash via the oversized registration code, and a Vulncheck advisory at vulncheck.com/advisories/spotftp-ftp-password-recover-denial-of-service documenting the buffer overflow issue. No patch or mitigation details are specified in the provided references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-31103
Vulnerability details
SpotFTP-FTP Password Recover 2.4.8 contains a denial of service vulnerability that allows attackers to crash the application by generating a large buffer overflow. Attackers can create a text file with 1000 'Z' characters and input it as a registration code…
more
to trigger the application crash.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in client application directly enables application crash via crafted input, matching Endpoint DoS by exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of the registration code input length/format to block the oversized 1000-character buffer that triggers the CWE-121 overflow and crash.
Applies memory protections that can detect or block the stack-based buffer overflow before it corrupts memory and causes application termination.
Limits the impact of resource-exhaustion DoS attempts against the application by throttling or monitoring anomalous input volumes that lead to the crash.