{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2019-25588", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-21T16:46:27.878Z", "datePublished": "2026-03-22T00:11:09.625Z", "dateUpdated": "2026-03-24T15:14:57.186Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-22T00:15:31.176Z"}, "title": "BulletProof FTP Server 2019.0.0.50 Denial of Service via DNS Address", "descriptions": [{"lang": "en", "value": "BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the DNS Address field that allows local attackers to crash the application by supplying an excessively long string. Attackers can enable the DNS Address option in the Firewall settings and paste a buffer of 700 bytes to trigger a crash when the Test function is invoked."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Assumed-Immutable Data is Stored in Writable Memory", "cweId": "CWE-1282", "type": "CWE"}]}], "affected": [{"vendor": "Bpftpserver", "product": "BulletProof FTP Server", "versions": [{"version": "2019.0.0.50", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 6.9, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/46875", "name": "ExploitDB-46875", "tags": ["exploit"]}, {"url": "http://bpftpserver.com/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "http://bpftpserver.com/products/bpftpserver/windows/download", "name": "Product Reference", "tags": ["product"]}, {"name": "VulnCheck Advisory: BulletProof FTP Server 2019.0.0.50 Denial of Service via DNS Address", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/bulletproof-ftp-server-denial-of-service-via-dns-address"}], "credits": [{"lang": "en", "value": "Victor Mondrag\u00f3n", "type": "finder"}], "x_generator": {"engine": "vulncheck"}, "datePublic": "2019-05-20T00:00:00.000Z"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T14:01:17.488103Z", "id": "CVE-2019-25588", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:14:57.186Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2019-25588", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T14:01:17.488103Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:01:18.536Z"}}], "cna": {"title": "BulletProof FTP Server 2019.0.0.50 Denial of Service via DNS Address", "credits": [{"lang": "en", "type": "finder", "value": "Victor Mondrag\u00f3n"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Bpftpserver", "product": "BulletProof FTP Server", "versions": [{"status": "affected", "version": "2019.0.0.50"}]}], "datePublic": "2019-05-20T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/46875", "name": "ExploitDB-46875", "tags": ["exploit"]}, {"url": "http://bpftpserver.com/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "http://bpftpserver.com/products/bpftpserver/windows/download", "name": "Product Reference", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/bulletproof-ftp-server-denial-of-service-via-dns-address", "name": "VulnCheck Advisory: BulletProof FTP Server 2019.0.0.50 Denial of Service via DNS Address", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the DNS Address field that allows local attackers to crash the application by supplying an excessively long string. Attackers can enable the DNS Address option in the Firewall settings and paste a buffer of 700 bytes to trigger a crash when the Test function is invoked."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1282", "description": "Assumed-Immutable Data is Stored in Writable Memory"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-22T00:15:31.176Z"}}}, "cveMetadata": {"cveId": "CVE-2019-25588", "state": "PUBLISHED", "dateUpdated": "2026-03-24T15:14:57.186Z", "dateReserved": "2026-03-21T16:46:27.878Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-22T00:11:09.625Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the DNS Address field that allows local attackers to crash the application by supplying an excessively long string. Attackers can enable the DNS Address option in the Firewall settings and paste a buffer of 700 bytes to trigger a crash when the Test function is invoked."}], "id": "CVE-2019-25588", "lastModified": "2026-03-23T14:31:37.267", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-22T01:16:57.083", "references": [{"source": "disclosure@vulncheck.com", "url": "http://bpftpserver.com/"}, {"source": "disclosure@vulncheck.com", "url": "http://bpftpserver.com/products/bpftpserver/windows/download"}, {"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/46875"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/bulletproof-ftp-server-denial-of-service-via-dns-address"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1282"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2019.0.0.50"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "BulletProof FTP Server", "source": "cna", "vendor": "Bpftpserver"}, "product": "bulletproof_ftp_server", "vendor": "bpftpserver"}], "analysis": {"en": {"generated_at": "2026-03-22T01:50:25.975634+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2019s latest patch or upgrade to a newer release of BulletProof FTP Server as soon as it becomes available.", "If a patch cannot be applied, disable the DNS Address option in the Firewall settings to eliminate the vulnerable input path.", "Limit local user permissions so that only trusted administrators can modify firewall settings and the DNS Address option.", "Monitor the FTP server for crashes or restarts and implement alerting to detect repeated denial\u2011of\u2011service attempts."], "summary": {"action": "Patch Immediately", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected product is the BulletProof FTP Server version 2019.0.0.50 running on Windows hosts. Only this specific build is listed as vulnerable; other versions are not indicated as affected. Environments that expose the Firewall settings and allow the DNS Address option to be enabled are at risk.", "description_and_impact": "BulletProof FTP Server 2019.0.0.50 suffers from a buffer overrun in the DNS Address field that allows a local user to crash the application by providing an overly long string. The attacker can enable the DNS Address option in the Firewall settings and paste a 700\u2011byte buffer before invoking the Test function, which causes the server process to terminate. The impact is a denial of service that compromises availability but does not affect confidentiality or integrity.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.9, indicating moderate severity. No EPSS score is provided and it is not included in the CISA KEV catalog. The exploitation requires local access to the server or privileged access to modify firewall settings, making the attack vector local. If an attacker can enable the DNS Address option and invoke the Test function, they can repeatedly crash the service, leading to service downtime and reduced availability for users."}}}}, "created": "2026-03-23T09:48:48.816696+00:00", "updated": "2026-03-25T14:46:51.256401+00:00", "vendors": ["bpftpserver", "bpftpserver$PRODUCT$bulletproof_ftp_server"]}