Cyber Resilience

CVE-2021-47791

MediumPublic PoC

Published: 16 January 2026

Published
16 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score v4 4.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 11.1th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-47791 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Smartftp Smartftp. Its CVSS base score is 4.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 11.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2021-47791 is a set of multiple denial-of-service vulnerabilities in SmartFTP Client version 10.0.2909.0, classified under CWE-770 (Allocation of Resources Without Limits or Throttling). These flaws allow attackers to crash the application through targeted input manipulation, including malformed paths, invalid IP addresses, or clearing connection history via the client's interface. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact availability disruption achievable over the network with low complexity and no privileges or user interaction required.

Remote attackers without authentication can exploit these issues by delivering specially crafted inputs to a targeted SmartFTP Client instance, resulting in application crashes and denial of service. Exploitation disrupts the victim's FTP client functionality, potentially interrupting file transfer operations, though no confidentiality or integrity impacts are present.

Advisories such as the VulnCheck report on SmartFTP Client multiple denial-of-service vulnerabilities provide technical details, while proof-of-concept exploits are published on Exploit-DB (e.g., ID 50266). The official SmartFTP website offers downloads, suggesting users check for updated versions to address these issues.

EU & UK References

Vulnerability details

SmartFTP Client 10.0.2909.0 contains multiple denial of service vulnerabilities that allow attackers to crash the application through specific input manipulation. Attackers can trigger crashes by entering malformed paths, using invalid IP addresses, or clearing connection history in the client's interface.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE directly describes remote exploitation of a client application vulnerability (CWE-770) to crash the process, matching T1499.004 Application or System Exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2021-47877Shared CWE-770
CVE-2026-3260Shared CWE-770
CVE-2025-66560Shared CWE-770
CVE-2025-68136Shared CWE-770
CVE-2020-37038Shared CWE-770
CVE-2025-36070Shared CWE-770
CVE-2021-47876Shared CWE-770
CVE-2019-25342Shared CWE-770
CVE-2026-44004Shared CWE-770
CVE-2020-37139Shared CWE-770

Affected Assets

smartftp
smartftp
10.0.2909.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 enforces validation of inputs such as malformed paths and invalid IP addresses, directly preventing the crashes exploited in CVE-2021-47791.

prevent

SC-5 provides denial-of-service protection mechanisms like rate limiting and input throttling to mitigate resource exhaustion from crafted inputs in CVE-2021-47791.

prevent

SI-2 ensures timely flaw remediation through patching SmartFTP Client version 10.0.2909.0 to eliminate the specific DoS vulnerabilities in CVE-2021-47791.

References