Cyber Posture

CVE-2020-37139

HighPublic PoC

Published: 05 February 2026

Published
05 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 0.4th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-37139 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Oldversion (inferred from references). Its CVSS base score is 8.4 (High).

Operationally, ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the buffer overflow flaw in Odin Secure FTP Expert's site information fields by identifying, reporting, and patching the vulnerability in a timely manner.

SI-10 Information Input Validation good match
prevent

Validates inputs to connection and site information fields to block oversized payloads like 108 bytes of repeated characters that trigger the buffer overflow.

SI-11 Error Handling partial match
prevent

Ensures the application handles buffer overflow errors gracefully without crashing, mitigating the denial-of-service impact from invalid inputs.

NVD Description

Odin Secure FTP Expert 7.6.3 contains a local denial of service vulnerability that allows attackers to crash the application by manipulating site information fields. Attackers can generate a buffer overflow by pasting 108 bytes of repeated characters into connection fields,…

more

causing the application to crash.

Deeper analysisAI

CVE-2020-37139 is a local denial of service vulnerability in Odin Secure FTP Expert version 7.6.3. The flaw arises from a buffer overflow in the site information fields, specifically when attackers paste 108 bytes of repeated characters into connection fields, causing the application to crash. It is classified under CWE-770 and carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Local attackers can exploit this vulnerability without requiring privileges, using low-complexity techniques and no user interaction. By inputting the specified payload into the affected fields, they trigger the buffer overflow, resulting in application denial of service through crashing.

References include an Exploit-DB entry with a proof-of-concept (https://www.exploit-db.com/exploits/48262), a VulnCheck advisory on the site info denial of service (https://www.vulncheck.com/advisories/odin-secure-ftp-expert-site-info-denial-of-service), and a software download link (http://tr.oldversion.com/windows/odin-secure-ftp-expert-7-6-3). No patches or specific mitigations are mentioned in the available details.

Details

CWE(s)
CWE-770

Affected Products

Oldversion
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-8099Shared CWE-770
CVE-2021-47895Shared CWE-770
CVE-2020-37085Shared CWE-770
CVE-2026-20103Shared CWE-770
CVE-2024-12537Shared CWE-770
CVE-2026-33256Shared CWE-770
CVE-2026-26313Shared CWE-770
CVE-2026-31283Shared CWE-770
CVE-2026-35401Shared CWE-770
CVE-2025-1059Shared CWE-770

References