Vulnerabilities ›

CVE-2019-25681

High ⚡ Exploit Available

CWE-787 — Weakness Type

                    Published: Apr 5, 2026                      ·  Modified: Apr 12, 2026                      ·  Source: NVD                

CVSS v3

8.4

🔗 NVD Official

📄 Description (English)

Xlight FTP Server 3.9.1 contains a structured exception handler (SEH) overwrite vulnerability that allows local attackers to crash the application and overwrite SEH pointers by supplying a crafted buffer string. Attackers can inject a 428-byte payload through the program execution field in virtual server configuration to trigger a buffer overflow that corrupts the SEH chain and enables potential code execution.

🤖 AI Executive Summary

Xlight FTP Server 3.9.1 contains a critical SEH overwrite buffer overflow vulnerability (CVE-2019-25681) allowing local attackers to achieve code execution through crafted configuration payloads. With CVSS 8.4 and publicly available exploits, this poses immediate risk to organizations using this legacy FTP server. No official patch is available, requiring urgent mitigation through alternative solutions or compensating controls.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 24, 2026 11:51

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations using Xlight FTP Server 3.9.1 face critical risk, particularly in: (1) Government agencies and NCA-regulated entities managing file transfers; (2) Banking sector (SAMA-regulated) using legacy FTP infrastructure for inter-bank communications; (3) Energy sector (ARAMCO, SEC) with legacy FTP systems for operational data; (4) Telecom providers (STC, Mobily) managing network configuration files; (5) Healthcare institutions transferring patient records. Local attacker access to FTP server configuration could lead to complete system compromise and lateral movement within critical infrastructure networks.

🏢 Affected Saudi Sectors

Banking and Financial Services (SAMA-regulated) Government and Public Administration (NCA-regulated) Energy and Utilities (ARAMCO, SEC) Telecommunications (STC, Mobily, Zain) Healthcare and Medical Services Education and Research Institutions Manufacturing and Industrial Control Systems

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application (if FTP exposed) T1068 - Exploitation for Privilege Escalation (SEH overwrite for code execution) T1547.006 - Boot or Logon Initialization Scripts (potential persistence via SEH manipulation) T1055 - Process Injection (code execution through SEH chain corruption) T1574.008 - Hijack Execution Flow (SEH handler redirection) T1204.002 - User Execution (social engineering to trigger FTP configuration upload)

⚖️ Saudi Risk Score (AI)

8.7

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Inventory all Xlight FTP Server 3.9.1 instances across the organization

2. Restrict local access to FTP server configuration files using OS-level access controls (NTFS permissions on Windows)

3. Disable FTP server if not actively required; migrate to SFTP or FTPS alternatives

4. Implement application whitelisting to prevent unauthorized execution from FTP directories



COMPENSATING CONTROLS:

1. Deploy host-based intrusion detection (HIDS) monitoring for SEH chain modifications

2. Implement Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) at OS level

3. Monitor FTP configuration file access and modifications in real-time

4. Restrict FTP server process privileges using least-privilege principles

5. Isolate FTP server on dedicated VLAN with strict network segmentation



PATCHING STRATEGY:

1. Upgrade to Xlight FTP Server 4.x or later (if available and tested)

2. If upgrade not feasible, migrate to alternative FTP solutions (FileZilla Server, ProFTPD, vsftpd)

3. Implement SFTP/FTPS as primary file transfer protocol



DETECTION RULES:

1. Monitor for 428-byte or larger payloads in FTP configuration files

2. Alert on SEH pointer modifications in memory dumps

3. Track execution of processes spawned from FTP server directories

4. Monitor for abnormal FTP server process behavior (crashes, memory access violations)

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حصر جميع نسخ خادم Xlight FTP 3.9.1 في المنظمة

2. تقييد الوصول المحلي لملفات تكوين خادم FTP باستخدام ضوابط الوصول على مستوى نظام التشغيل

3. تعطيل خادم FTP إذا لم يكن مطلوباً بنشاط؛ الهجرة إلى بدائل SFTP أو FTPS

4. تطبيق قائمة التطبيقات المسموحة لمنع التنفيذ غير المصرح به من أدلة FTP

الضوابط التعويضية:

1. نشر كشف التسلل على مستوى المضيف (HIDS) لمراقبة تعديلات سلسلة SEH

2. تطبيق منع تنفيذ البيانات (DEP) وعشوائية تخطيط مساحة العنوان (ASLR) على مستوى نظام التشغيل

3. مراقبة الوصول إلى ملفات تكوين FTP والتعديلات عليها في الوقت الفعلي

4. تقييد امتيازات عملية خادم FTP باستخدام مبادئ الامتيازات الأقل

5. عزل خادم FTP على شبكة VLAN مخصصة مع تقسيم شبكة صارم

استراتيجية التصحيح:

1. الترقية إلى خادم Xlight FTP 4.x أو أحدث (إن توفر واختبر)

2. إذا لم تكن الترقية ممكنة، الهجرة إلى حلول FTP بديلة

3. تطبيق SFTP/FTPS كبروتوكول نقل الملفات الأساسي

قواعد الكشف:

1. مراقبة حمولات بحجم 428 بايت أو أكبر في ملفات تكوين FTP

2. تنبيه عند تعديل مؤشرات SEH في ملفات تفريغ الذاكرة

3. تتبع تنفيذ العمليات المنبثقة من أدلة خادم FTP

4. مراقبة السلوك غير الطبيعي لعملية خادم FTP

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.5.1.1 - Access Control Policies (restrict local access to FTP configuration) ECC 2024 A.8.1.1 - Asset Management (inventory and classify FTP servers) ECC 2024 A.12.2.1 - Change Management (control FTP server configuration changes) ECC 2024 A.12.4.1 - Event Logging (monitor FTP configuration access and modifications)

🔵 SAMA CSF

ID.AM-1 - Asset Management (identify and manage FTP server assets) PR.AC-1 - Access Control (implement least privilege for FTP processes) PR.PT-1 - Protection Technology (deploy DEP/ASLR, HIDS monitoring) DE.CM-1 - Detection and Analysis (monitor for SEH chain modifications) RS.MI-1 - Response Mitigation (isolate affected systems, implement compensating controls)

🟡 ISO 27001:2022

A.5.1 - Information Security Policies (establish FTP security policy) A.6.1.2 - Resource Allocation (assign responsibility for FTP security) A.8.1.1 - Asset Inventory (maintain FTP server inventory) A.8.3.1 - Media Handling (secure FTP data transfers) A.12.2.1 - Change Management (control FTP configuration changes) A.12.4.1 - Event Logging (log FTP access and modifications) A.14.2.1 - Secure Development (implement secure coding practices for FTP alternatives)

🟣 PCI DSS v4.0.1

Requirement 1.1 - Network Segmentation (isolate FTP server on dedicated VLAN) Requirement 2.1 - Default Credentials (change FTP server default settings) Requirement 6.2 - Security Patches (apply compensating controls for unpatched vulnerability) Requirement 10.2 - Logging (log FTP configuration access and modifications)

🔗 References & Sources 4

🔗

https://www.exploit-db.com/exploits/46458

disclosure@vulncheck.com

Exploit VDB Entry

🔗

https://www.vulncheck.com/advisories/xlight-ftp-server-seh-overwrite-buffer-overflow

disclosure@vulncheck.com

Third Party Advisory

🔗

https://www.xlightftpd.com/download/xlight.zip

disclosure@vulncheck.com

Product

🔗

https://www.xlightftpd.com/index.htm

disclosure@vulncheck.com

Product

📦 Affected Products / CPE 1 entries

xlightftpd:xlight_ftp_server:3.9.1

📊 CVSS Score

8.4

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score8.4

CWECWE-787

EPSS0.01%

Exploit ✓ Yes

Patch ✗ No

Published 2026-04-05

Source Feed nvd

🇸🇦 Saudi Risk Score

8.7

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-787

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2019-25681

💬 Comments

Introduce Yourself

Sign In Required