{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2019-25587", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-21T16:46:16.106Z", "datePublished": "2026-03-22T00:11:08.855Z", "dateUpdated": "2026-03-23T19:51:45.392Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-22T00:15:30.440Z"}, "title": "BulletProof FTP Server 2019.0.0.50 Storage-Path Denial of Service", "descriptions": [{"lang": "en", "value": "BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the Storage-Path configuration parameter that allows local attackers to crash the application by supplying an excessively long string value. Attackers can enable the Override Storage-Path setting and paste a buffer of 500 bytes or more to trigger an application crash when saving the configuration."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Assumed-Immutable Data is Stored in Writable Memory", "cweId": "CWE-1282", "type": "CWE"}]}], "affected": [{"vendor": "Bpftpserver", "product": "BulletProof FTP Server", "versions": [{"version": "2019.0.0.50", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 6.9, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/46876", "name": "ExploitDB-46876", "tags": ["exploit"]}, {"url": "http://bpftpserver.com/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "http://bpftpserver.com/products/bpftpserver/windows/download", "name": "Product Reference", "tags": ["product"]}, {"name": "VulnCheck Advisory: BulletProof FTP Server 2019.0.0.50 Storage-Path Denial of Service", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/bulletproof-ftp-server-storage-path-denial-of-service"}], "credits": [{"lang": "en", "value": "Victor Mondrag\u00f3n", "type": "finder"}], "x_generator": {"engine": "vulncheck"}, "datePublic": "2019-05-20T00:00:00.000Z"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T19:50:27.485221Z", "id": "CVE-2019-25587", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T19:51:45.392Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2019-25587", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T19:50:27.485221Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T19:50:59.515Z"}}], "cna": {"title": "BulletProof FTP Server 2019.0.0.50 Storage-Path Denial of Service", "credits": [{"lang": "en", "type": "finder", "value": "Victor Mondrag\u00f3n"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Bpftpserver", "product": "BulletProof FTP Server", "versions": [{"status": "affected", "version": "2019.0.0.50"}]}], "datePublic": "2019-05-20T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/46876", "name": "ExploitDB-46876", "tags": ["exploit"]}, {"url": "http://bpftpserver.com/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "http://bpftpserver.com/products/bpftpserver/windows/download", "name": "Product Reference", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/bulletproof-ftp-server-storage-path-denial-of-service", "name": "VulnCheck Advisory: BulletProof FTP Server 2019.0.0.50 Storage-Path Denial of Service", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the Storage-Path configuration parameter that allows local attackers to crash the application by supplying an excessively long string value. Attackers can enable the Override Storage-Path setting and paste a buffer of 500 bytes or more to trigger an application crash when saving the configuration."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1282", "description": "Assumed-Immutable Data is Stored in Writable Memory"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-22T00:15:30.440Z"}}}, "cveMetadata": {"cveId": "CVE-2019-25587", "state": "PUBLISHED", "dateUpdated": "2026-03-23T19:51:45.392Z", "dateReserved": "2026-03-21T16:46:16.106Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-22T00:11:08.855Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bpftpserver:bulletproof_ftp_server:2019.0.0.50:*:*:*:*:*:*:*", "matchCriteriaId": "71B74705-53C3-49BD-AD68-9654D2974D92", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the Storage-Path configuration parameter that allows local attackers to crash the application by supplying an excessively long string value. Attackers can enable the Override Storage-Path setting and paste a buffer of 500 bytes or more to trigger an application crash when saving the configuration."}, {"lang": "es", "value": "BulletProof FTP Servidor 2019.0.0.50 contiene una vulnerabilidad de denegaci\u00f3n de servicio en el par\u00e1metro de configuraci\u00f3n Storage-Path que permite a atacantes locales bloquear la aplicaci\u00f3n al proporcionar un valor de cadena excesivamente largo. Los atacantes pueden habilitar la configuraci\u00f3n Override Storage-Path y pegar un b\u00fafer de 500 bytes o m\u00e1s para provocar un bloqueo de la aplicaci\u00f3n al guardar la configuraci\u00f3n."}], "id": "CVE-2019-25587", "lastModified": "2026-03-25T19:10:46.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "disclosure@vulncheck.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-22T01:16:56.897", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "http://bpftpserver.com/"}, {"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "http://bpftpserver.com/products/bpftpserver/windows/download"}, {"source": "disclosure@vulncheck.com", "tags": ["Exploit", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/46876"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/bulletproof-ftp-server-storage-path-denial-of-service"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1282"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2019.0.0.50"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "BulletProof FTP Server", "source": "cna", "vendor": "Bpftpserver"}, "product": "bulletproof_ftp_server", "vendor": "bpftpserver"}], "analysis": {"en": {"generated_at": "2026-03-25T22:29:36.114552+00:00", "value": {"mitigation_remediation": ["Apply the latest official patch for BulletProof FTP Server.", "If a patch is not available, edit the configuration file to disable the Override Storage-Path option.", "Restart the FTP service after modifying the configuration to ensure the change takes effect.", "Monitor system logs for attempts to write oversized Storage-Path values or repeated service crashes.", "Restrict local administrative access to the configuration files to reduce the risk of abuse."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "BulletProof FTP Server version 2019.0.0.50, provided by Bpftpserver, is affected on Windows operating systems. This vulnerability does not exist in earlier or later releases of the product.", "description_and_impact": "The storage-path configuration setting in BulletProof FTP Server 2019.0.0.50 accepts an excessively long string that causes the application to crash when the configuration is saved. An attacker with local privilege can enable the Override Storage-Path option and paste a buffer of 500 bytes or more, resulting in a denial of service for the FTP service while the server remains stuck until it is restarted. The flaw is caused by insufficient input validation of the length of the path string and is classified as a buffer overflow style issue (CWE-1282).", "risk_and_exploitability": "The CVSS score of 6.9 indicates moderate severity. Because the exploit requires local access and offers no way to execute arbitrary code, the risk is limited to a temporary service outage. The EPSS score of less than 1% reflects a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. This suggests that while the flaw is real, it is unlikely to be widely abused in the wild."}}}}, "created": "2026-03-23T09:48:49.667591+00:00", "updated": "2026-03-26T12:20:36.387491+00:00", "vendors": ["bpftpserver", "bpftpserver$PRODUCT$bulletproof_ftp_server"]}