CVE-2019-25686

HIGH 7.5

Core FTP 2.0 build 653 PBSZ Unauthenticated Denial of Service

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

13th

Core FTP 2.0 build 653 contains a denial of service vulnerability in the PBSZ command that allows unauthenticated attackers to crash the service by sending a malformed command with an oversized buffer. Attackers can send a PBSZ command with a payload exceeding 211 bytes to trigger an access violation and crash the FTP server process.

CWE	CWE-306
Vendor	coreftp
Product	core ftp
Published	Apr 5, 2026
Last Updated	Apr 6, 2026

Stay Ahead of the Next One

Get instant alerts for coreftp core ftp

Be the first to know when new high vulnerabilities affecting coreftp core ftp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

Coreftp / Core FTP

2.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/46532 coreftp.com: http://www.coreftp.com/ coreftp.com: http://coreftp.com/server/download/archive/CoreFTPServer653.exe vulncheck.com: https://www.vulncheck.com/advisories/core-ftp-build-653-pbsz-unauthenticated-denial-of-service

Credits

Hodorsec ([email protected] / [email protected])