CVE-2020-37208
Undergoing Analysis Undergoing Analysis - In Progress
Buffer Overflow in SpotFTP 3.0.0.0 Causes Application Crash

Publication date: 2026-02-11

Last updated on: 2026-02-20

Assigner: VulnCheck

Description
SpotFTP 3.0.0.0 contains a buffer overflow vulnerability in the registration key input field that allows attackers to crash the application. Attackers can generate a 1000-character payload and paste it into the 'Key' field to trigger an application crash and denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-11
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-11
EPSS Evaluated
2026-06-15
NVD
CVE-2020-37208
EUVD
EUVD-2020-31180
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nsasoft spotftp 3.0.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2020-37208 is a buffer overflow vulnerability in SpotFTP FTP Password Recovery version 3.0.0.0 and earlier. It occurs in the registration key input field, where an attacker can input a specially crafted payload of about 1000 characters.

This crafted input causes the application to crash by overflowing the buffer, leading to a denial of service (DoS) condition.

The attack requires local access, low complexity, no privileges, and user interaction to trigger the crash.

Impact Analysis

This vulnerability can cause the SpotFTP application to crash when a maliciously crafted registration key is entered.

The impact is a denial of service (DoS), meaning legitimate users will be unable to use the application while it is crashed.

There is no impact on confidentiality or integrity of data, only availability is affected.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by attempting to reproduce the denial of service condition locally on the system running SpotFTP 3.0.0.0. Specifically, an attacker or tester can generate a payload of approximately 1000 characters and input it into the 'Key' registration field of the application."}, {'type': 'paragraph', 'content': "A practical detection method involves creating a file with 1000 'A' characters and pasting this payload into the registration key field to see if the application crashes."}, {'type': 'paragraph', 'content': 'For example, on a Windows system, you can create the payload using a simple Python command:'}, {'type': 'list_item', 'content': 'python -c "print(\'A\'*1000)" > poc.txt'}, {'type': 'paragraph', 'content': "Then open the file, copy the content, and paste it into the 'Key' field of SpotFTP. If the application crashes, the vulnerability is present."}] [2]

Mitigation Strategies

Immediate mitigation steps include restricting local access to the SpotFTP application to trusted users only, since the attack requires local access and user interaction.

Avoid pasting or entering untrusted or suspiciously long registration keys into the application.

If possible, monitor and limit user interactions with the registration key input field to prevent exploitation.

Additionally, consider running SpotFTP in a controlled environment or sandbox to minimize impact if a crash occurs.

Since no official patch or update information is provided, contacting the vendor or checking for updates regularly is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-37208. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart