Cyber Resilience

CVE-2024-46483

Critical

Published: 22 October 2024

Published
22 October 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1389 94.5th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46483 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Xlight FTP Server versions prior to 3.9.4.3 contain an integer overflow vulnerability in the packet parsing logic of the SFTP server component. The flaw, tracked as CWE-190, can be triggered during handling of crafted SFTP packets and results in a heap overflow that permits attacker-controlled data to be written beyond allocated bounds.

The issue is remotely exploitable over the network with no authentication or user interaction required. Successful exploitation can lead to arbitrary code execution or memory corruption, granting an attacker full control over confidentiality, integrity, and availability of the affected server as reflected in its CVSS 9.8 rating.

The single public reference is a GitHub repository that documents the vulnerability but provides no vendor advisory or patch details. The associated EPSS score has remained flat at 0.1389 with no material increase since disclosure.

EU & UK References

Vulnerability details

Xlight FTP Server <3.9.4.3 has an integer overflow vulnerability in the packet parsing logic of the SFTP server, which can lead to a heap overflow with attacker-controlled content.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References