CVE-2020-37155
Unknown Unknown - Not Provided
Buffer Overflow in Core FTP Lite 1.3 Causes Application Crash

Publication date: 2026-02-07

Last updated on: 2026-02-07

Assigner: VulnCheck

Description
Core FTP Lite 1.3 contains a buffer overflow vulnerability in the username input field that allows attackers to crash the application by supplying oversized input. Attackers can generate a 7000-byte payload of repeated 'A' characters to trigger an application crash without requiring additional interaction.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-07
Last Modified
2026-02-07
Generated
2026-06-16
AI Q&A
2026-02-07
EPSS Evaluated
2026-06-14
NVD
CVE-2020-37155
EUVD
EUVD-2020-31108
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
core_ftp core_ftp_lite to 1.3c_build_1437 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2020-37155 is a buffer overflow vulnerability in Core FTP Lite version 1.3c Build 1437 and earlier. It occurs in the username input field where the application does not properly check the size of the input. An attacker can exploit this by supplying an oversized input, specifically a payload of 7000 repeated 'A' characters, which causes the application to crash."}, {'type': 'paragraph', 'content': 'This vulnerability is classified under CWE-120, which involves buffer copy without checking the size of the input, leading to a denial of service condition.'}] [2]

Impact Analysis

This vulnerability can be exploited to cause a denial of service (DoS) by crashing the Core FTP Lite application. An attacker can trigger this by providing a specially crafted oversized username input, causing the application to immediately crash and become unavailable.

The impact is limited to availability, as the vulnerability does not affect confidentiality or integrity, but it results in high availability impact by making the application unusable until restarted.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by attempting to reproduce the crash condition on the Core FTP Lite application version 1.3c Build 1437 or earlier. A proof-of-concept involves creating a payload of 7000 repeated 'A' characters and inputting it into the username field of the application."}, {'type': 'paragraph', 'content': 'One way to test this is by using a simple script to generate a file containing the payload, then pasting the payload into the username textbox of the Core FTP Lite client to see if it crashes.'}, {'type': 'paragraph', 'content': 'Example commands to generate the payload file (named mi.txt) using Python:'}, {'type': 'list_item', 'content': 'python -c "print(\'A\'*7000)" > mi.txt'}, {'type': 'paragraph', 'content': 'Then, open the Core FTP Lite application and paste the contents of mi.txt into the username input field. If the application crashes immediately, the vulnerability is present.'}] [1, 2]

Mitigation Strategies

Immediate mitigation steps include avoiding the use of Core FTP Lite version 1.3c Build 1437 or earlier until a patch or update is available.

Since the vulnerability requires local user interaction (pasting the oversized input into the username field), restricting access to trusted users and limiting local access to the application can reduce risk.

Additionally, monitoring for unusual application crashes and educating users to avoid pasting or entering suspiciously long inputs into the username field can help mitigate exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-37155. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart