{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2019-25588", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-21T16:46:27.878Z", "datePublished": "2026-03-22T00:11:09.625Z", "dateUpdated": "2026-03-24T15:14:57.186Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-22T00:15:31.176Z"}, "title": "BulletProof FTP Server 2019.0.0.50 Denial of Service via DNS Address", "descriptions": [{"lang": "en", "value": "BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the DNS Address field that allows local attackers to crash the application by supplying an excessively long string. Attackers can enable the DNS Address option in the Firewall settings and paste a buffer of 700 bytes to trigger a crash when the Test function is invoked."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Assumed-Immutable Data is Stored in Writable Memory", "cweId": "CWE-1282", "type": "CWE"}]}], "affected": [{"vendor": "Bpftpserver", "product": "BulletProof FTP Server", "versions": [{"version": "2019.0.0.50", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 6.9, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/46875", "name": "ExploitDB-46875", "tags": ["exploit"]}, {"url": "http://bpftpserver.com/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "http://bpftpserver.com/products/bpftpserver/windows/download", "name": "Product Reference", "tags": ["product"]}, {"name": "VulnCheck Advisory: BulletProof FTP Server 2019.0.0.50 Denial of Service via DNS Address", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/bulletproof-ftp-server-denial-of-service-via-dns-address"}], "credits": [{"lang": "en", "value": "Victor Mondrag\u00f3n", "type": "finder"}], "x_generator": {"engine": "vulncheck"}, "datePublic": "2019-05-20T00:00:00.000Z"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T14:01:17.488103Z", "id": "CVE-2019-25588", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:14:57.186Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2019-25588", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T14:01:17.488103Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:01:18.536Z"}}], "cna": {"title": "BulletProof FTP Server 2019.0.0.50 Denial of Service via DNS Address", "credits": [{"lang": "en", "type": "finder", "value": "Victor Mondrag\u00f3n"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Bpftpserver", "product": "BulletProof FTP Server", "versions": [{"status": "affected", "version": "2019.0.0.50"}]}], "datePublic": "2019-05-20T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/46875", "name": "ExploitDB-46875", "tags": ["exploit"]}, {"url": "http://bpftpserver.com/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "http://bpftpserver.com/products/bpftpserver/windows/download", "name": "Product Reference", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/bulletproof-ftp-server-denial-of-service-via-dns-address", "name": "VulnCheck Advisory: BulletProof FTP Server 2019.0.0.50 Denial of Service via DNS Address", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the DNS Address field that allows local attackers to crash the application by supplying an excessively long string. Attackers can enable the DNS Address option in the Firewall settings and paste a buffer of 700 bytes to trigger a crash when the Test function is invoked."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1282", "description": "Assumed-Immutable Data is Stored in Writable Memory"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-22T00:15:31.176Z"}}}, "cveMetadata": {"cveId": "CVE-2019-25588", "state": "PUBLISHED", "dateUpdated": "2026-03-24T15:14:57.186Z", "dateReserved": "2026-03-21T16:46:27.878Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-22T00:11:09.625Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bpftpserver:bulletproof_ftp_server:2019.0.0.50:*:*:*:*:*:*:*", "matchCriteriaId": "71B74705-53C3-49BD-AD68-9654D2974D92", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the DNS Address field that allows local attackers to crash the application by supplying an excessively long string. Attackers can enable the DNS Address option in the Firewall settings and paste a buffer of 700 bytes to trigger a crash when the Test function is invoked."}, {"lang": "es", "value": "BulletProof FTP Server 2019.0.0.50 contiene una vulnerabilidad de denegaci\u00f3n de servicio en el campo de Direcci\u00f3n DNS que permite a atacantes locales bloquear la aplicaci\u00f3n al proporcionar una cadena excesivamente larga. Los atacantes pueden habilitar la opci\u00f3n de Direcci\u00f3n DNS en la configuraci\u00f3n del cortafuegos y pegar un b\u00fafer de 700 bytes para provocar un bloqueo cuando se invoca la funci\u00f3n de Prueba."}], "id": "CVE-2019-25588", "lastModified": "2026-03-25T19:06:18.830", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "disclosure@vulncheck.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-22T01:16:57.083", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "http://bpftpserver.com/"}, {"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "http://bpftpserver.com/products/bpftpserver/windows/download"}, {"source": "disclosure@vulncheck.com", "tags": ["Exploit", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/46875"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/bulletproof-ftp-server-denial-of-service-via-dns-address"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1282"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2019.0.0.50"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "BulletProof FTP Server", "source": "cna", "vendor": "Bpftpserver"}, "product": "bulletproof_ftp_server", "vendor": "bpftpserver"}], "analysis": {"en": {"generated_at": "2026-03-25T22:00:58.500479+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2019s latest patch or upgrade to a patched release that eliminates the DNS Address denial\u2011of\u2011service flaw.", "If a patch is not yet available, disable the DNS Address option in the firewall configuration to eliminate the attack surface.", "Restart the FTP service to apply configuration changes and confirm the service resumes normal operation.", "Monitor service logs and performance metrics to ensure the application remains stable and to detect any unexpected restarts or crashes."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the BulletProof FTP Server product, version 2019.0.0.50. Systems that enable the DNS Address option in their firewall configuration are susceptible.", "description_and_impact": "BulletProof FTP Server 2019.0.0.50 contains a flaw that permits a local attacker who can alter firewall settings to crash the service by entering an overly long string into the DNS Address field. When the Test function is triggered, the server processes a 700\u2011byte buffer and terminates unexpectedly, causing a service outage.", "risk_and_exploitability": "Medium severity is reflected in the assessment score of 6.9, while the estimated chance of exploitation is very low, below 1%. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers require local access and appropriate privileges to modify firewall settings; no remote exploitation path is documented. Therefore, the overall risk is moderate in environments where local administrative functions are available but unlikely to be widely leveraged."}}}}, "created": "2026-03-23T09:48:48.816696+00:00", "updated": "2026-03-26T12:20:35.497594+00:00", "vendors": ["bpftpserver", "bpftpserver$PRODUCT$bulletproof_ftp_server"]}