CVE-2021-47791
Published: 16 January 2026
Summary
CVE-2021-47791 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Smartftp Smartftp. Its CVSS base score is 4.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 11.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2021-47791 is a set of multiple denial-of-service vulnerabilities in SmartFTP Client version 10.0.2909.0, classified under CWE-770 (Allocation of Resources Without Limits or Throttling). These flaws allow attackers to crash the application through targeted input manipulation, including malformed paths, invalid IP addresses, or clearing connection history via the client's interface. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact availability disruption achievable over the network with low complexity and no privileges or user interaction required.
Remote attackers without authentication can exploit these issues by delivering specially crafted inputs to a targeted SmartFTP Client instance, resulting in application crashes and denial of service. Exploitation disrupts the victim's FTP client functionality, potentially interrupting file transfer operations, though no confidentiality or integrity impacts are present.
Advisories such as the VulnCheck report on SmartFTP Client multiple denial-of-service vulnerabilities provide technical details, while proof-of-concept exploits are published on Exploit-DB (e.g., ID 50266). The official SmartFTP website offers downloads, suggesting users check for updated versions to address these issues.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3002
Vulnerability details
SmartFTP Client 10.0.2909.0 contains multiple denial of service vulnerabilities that allow attackers to crash the application through specific input manipulation. Attackers can trigger crashes by entering malformed paths, using invalid IP addresses, or clearing connection history in the client's interface.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE directly describes remote exploitation of a client application vulnerability (CWE-770) to crash the process, matching T1499.004 Application or System Exploitation for endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 enforces validation of inputs such as malformed paths and invalid IP addresses, directly preventing the crashes exploited in CVE-2021-47791.
SC-5 provides denial-of-service protection mechanisms like rate limiting and input throttling to mitigate resource exhaustion from crafted inputs in CVE-2021-47791.
SI-2 ensures timely flaw remediation through patching SmartFTP Client version 10.0.2909.0 to eliminate the specific DoS vulnerabilities in CVE-2021-47791.