📄 Description (English)
Core FTP/SFTP Server 1.2 contains a buffer overflow vulnerability that allows attackers to crash the service by supplying an excessively long string in the User domain field. Attackers can paste a malicious payload containing 7000 bytes of data into the domain configuration to trigger an application crash and deny service.
🤖 AI Executive Summary
CVE-2019-25654 is a buffer overflow vulnerability in Core FTP/SFTP Server 1.2 that allows remote attackers to cause denial of service by sending an excessively long string (7000+ bytes) in the User domain field. With a CVSS score of 7.5 and no available patch, this vulnerability poses a significant risk to organizations relying on this FTP service for file transfer operations. The lack of exploit availability provides limited immediate threat, but the vulnerability remains exploitable through straightforward payload delivery.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 30, 2026 01:19
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi organizations in the following sectors: (1) Government agencies and ministries using Core FTP for secure file transfers and document management; (2) Banking and financial institutions (SAMA-regulated) utilizing FTP/SFTP for inter-bank communications and settlement processes; (3) Energy sector (ARAMCO and related entities) relying on FTP for operational technology data exchange; (4) Telecommunications providers (STC, Mobily) using FTP for network management and customer data transfers; (5) Healthcare organizations managing patient records and medical imaging via FTP. The lack of a patch creates persistent risk for critical infrastructure and sensitive data handling operations.
🏢 Affected Saudi Sectors
Government and Public Administration
Banking and Financial Services
Energy and Utilities
Telecommunications
Healthcare
Defense and Security
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Inventory all instances of Core FTP/SFTP Server 1.2 across your infrastructure
2. Restrict network access to FTP/SFTP services using firewall rules (whitelist only authorized IP ranges)
3. Disable the FTP service if not actively required for business operations
4. Monitor FTP logs for suspicious domain field entries exceeding normal length patterns
Compensating Controls:
1. Implement input validation at the network perimeter using WAF/IDS rules to detect and block payloads >1000 bytes in FTP domain fields
2. Deploy network segmentation to isolate FTP servers from critical systems
3. Enable detailed logging and alerting for FTP connection attempts with abnormal parameters
4. Implement rate limiting on FTP connection attempts
5. Consider upgrading to alternative FTP solutions with active security support (e.g., FileZilla Server, ProFTPD with current patches)
Detection Rules:
1. Alert on FTP USER commands with domain field exceeding 500 characters
2. Monitor for Core FTP process crashes or service restarts
3. Track failed FTP authentication attempts with oversized payloads
4. Implement YARA rule: detect strings matching 'USER.*[domain field with 7000+ bytes]'
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. قم بحصر جميع نسخ Core FTP/SFTP Server 1.2 عبر البنية التحتية الخاصة بك
2. قيد الوصول إلى شبكة خدمات FTP/SFTP باستخدام قواعد جدار الحماية (قائمة بيضاء للنطاقات المصرح بها فقط)
3. عطّل خدمة FTP إذا لم تكن مطلوبة بنشاط للعمليات التجارية
4. راقب سجلات FTP للبحث عن إدخالات حقل نطاق مريبة تتجاوز أنماط الطول العادية
الضوابط التعويضية:
1. تطبيق التحقق من صحة الإدخال على محيط الشبكة باستخدام قواعد WAF/IDS للكشف عن الحمولات التي تتجاوز 1000 بايت وحجبها
2. نشر تقسيم الشبكة لعزل خوادم FTP عن الأنظمة الحرجة
3. تفعيل السجلات التفصيلية والتنبيهات لمحاولات اتصال FTP ذات المعاملات غير الطبيعية
4. تطبيق تحديد معدل على محاولات اتصال FTP
5. النظر في الترقية إلى حلول FTP بديلة مع دعم أمني نشط
قواعد الكشف:
1. تنبيه على أوامر FTP USER مع حقل نطاق يتجاوز 500 حرف
2. مراقبة أعطال عملية Core FTP أو إعادة تشغيل الخدمة
3. تتبع محاولات المصادقة الفاشلة في FTP مع حمولات مبالغ فيها
4. تطبيق قاعدة YARA: الكشف عن السلاسل المطابقة لأنماط الحمولات الكبيرة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.12.6.1 - Management of technical vulnerabilities
A.14.2.1 - Secure development policy
A.12.2.1 - Monitoring of system use
🔵 SAMA CSF
ID.RA-1 - Asset management and vulnerability identification
PR.IP-12 - System and information integrity
DE.CM-1 - Detection and analysis of anomalies
🟡 ISO 27001:2022
A.12.6.1 - Management of technical vulnerabilities
A.14.2.5 - Secure development environment
A.12.2.1 - Monitoring of system use
🟣 PCI DSS v4.0.1
6.2 - Ensure security patches are installed
11.2 - Run automated vulnerability scans
12.2 - Implement configuration standards
🔗 References & Sources 4
🔗
🔗
🔗
🔗
http://www.coreftp.com/
disclosure@vulncheck.com
http://www.coreftp.com/server/download/archive/CoreFTPServer589.42.exe
disclosure@vulncheck.com
https://www.exploit-db.com/exploits/46371
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/core-ftp-sftp-server-denial-of-service-via-buffer-...
disclosure@vulncheck.com