Primary

Context

Core FTP Denial-of-Service Vulnerability via Oversized PBSZ Command

Vulnerability

Patched

A denial-of-service vulnerability has been identified in Core FTP version 2.0 build 653. The issue arises in the PBSZ command, where unauthenticated attackers can crash the FTP server by sending a malformed command with a payload exceeding 211 bytes. This oversized buffer causes an access violation, leading to a crash of the FTP server process.

Impact

Exploitation of this vulnerability causes the FTP server process to crash, disrupting service availability.

Reproduction

To reproduce this vulnerability, install Core FTP version 2.0 build 653 and set up a domain with an IP and path. Start the FTP server service without adding users or configuring specific settings. Once the service is running, send a PBSZ command with a payload larger than 211 bytes. The server will crash, indicating that the denial-of-service condition has been successfully triggered.

Added: Apr 5, 2026, 9:43 PM

Updated: Apr 5, 2026, 9:43 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

6.0

remediation

7.7

relevance

5.3

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

6.0

remediation

7.7

relevance

5.3

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Core FTP Denial-of-Service Vulnerability via Oversized PBSZ Command

Vulnerability

Impact

Reproduction

Affected Products

Core FTP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating