CVE-2018-25229
Received Received - Intake
Buffer Overflow in BulletProof FTP SMTP Interface Causes DoS

Publication date: 2026-03-30

Last updated on: 2026-03-31

Assigner: VulnCheck

Description
BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the SMTP configuration interface that allows local attackers to crash the application by supplying an oversized string. Attackers can input a buffer of 257 'A' characters in the SMTP Server field and trigger a crash by clicking the Test button.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-14
NVD
CVE-2018-25229
EUVD
EUVD-2018-21716
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bpftpserver bulletproof_ftp_server 2019.0.0.50
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1282 Immutable data, such as a first-stage bootloader, device identifiers, and "write-once" configuration settings are stored in writable memory that can be re-programmed or updated in the field.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2018-25229 is a denial of service vulnerability in BulletProof FTP Server version 2019.0.0.50. It exists in the SMTP configuration interface where local attackers can crash the application by inputting an oversized string.

Specifically, by entering a buffer of 257 'A' characters into the SMTP Server field and clicking the Test button, the application crashes due to improper input validation and buffer handling, causing a buffer overflow condition.

Impact Analysis

This vulnerability can cause the BulletProof FTP Server application to crash, resulting in a denial of service condition.

Since the attack requires local access and user interaction, an attacker with local access can disrupt the availability of the FTP server by triggering this crash.

The impact is limited to denial of service; it does not affect confidentiality or integrity of data.

Detection Guidance

This vulnerability can be detected by attempting to reproduce the denial of service condition in the BulletProof FTP Server application. Specifically, you can test the SMTP Server configuration interface by inputting an oversized string of 257 'A' characters into the SMTP Server field and then clicking the Test button.

A practical method involves creating a text file containing 257 'A' characters, copying this string to the clipboard, and pasting it into the SMTP Server input field within the application's settings.

There is no specific network command to detect this vulnerability remotely since it requires local interaction with the application's GUI. However, the exploit can be scripted, as demonstrated by a Python script that generates the malicious input.

Mitigation Strategies

To mitigate this vulnerability immediately, avoid inputting oversized strings (specifically 257 or more characters) into the SMTP Server field in the BulletProof FTP Server settings.

Restrict local user access to the BulletProof FTP Server application to prevent untrusted users from interacting with the SMTP configuration interface.

Monitor for application crashes related to the SMTP Server settings and consider disabling or limiting the use of the SMTP configuration interface if possible until a patch or update is available.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2018-25229. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart