CVE-2018-25234
Received Received - Intake
Buffer Overflow in SmartFTP Client 9.0 Causes DoS Crash

Publication date: 2026-03-30

Last updated on: 2026-04-08

Assigner: VulnCheck

Description
SmartFTP Client 9.0.2615.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Host field. Attackers can paste a buffer of 300 repeated characters into the Host connection parameter to trigger an application crash.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-15
NVD
CVE-2018-25234
EUVD
EUVD-2018-21726
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
smartftp smartftp to 9.0.2615.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-466 A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2018-25234 is a denial of service (DoS) vulnerability in SmartFTP Client version 9.0.2615.0 and earlier. It occurs when a local attacker inputs an excessively long string into the Host field of the application.

Specifically, supplying a buffer of 300 repeated characters in the Host connection parameter causes the application to crash. This is due to improper handling of input length, classified under CWE-466, which involves returning a pointer value outside the expected range.

Impact Analysis

This vulnerability can cause the SmartFTP Client application to crash, resulting in a denial of service. An attacker with local access can exploit this by pasting a specially crafted long string into the Host field, making the application unusable until restarted.

Since the attack requires local access and no privileges or user interaction, it can disrupt normal operations for users relying on the SmartFTP Client, potentially causing loss of productivity or interruption of file transfer activities.

Detection Guidance

This vulnerability can be detected by attempting to reproduce the denial of service condition on the SmartFTP Client application. Specifically, a local user can test by supplying an excessively long string of 300 repeated characters into the Host field of the connection settings.

One practical method is to create a text file containing 300 repetitions of the ASCII character 'A' and then paste this string into the Host input field in the SmartFTP Client. If the application crashes, the vulnerability is present.

A sample approach involves using a Python script or command line to generate the test string. For example, on a system with Python installed, you can run:

  • python -c "print('A' * 300)" > network.txt

Then open the SmartFTP Client, go to Connection settings, and paste the contents of network.txt into the Host field to observe if the application crashes.

Mitigation Strategies

Immediate mitigation steps include avoiding the input of excessively long strings (300 or more characters) into the Host field of the SmartFTP Client.

Since the vulnerability requires local access to trigger, restricting local user permissions and access to the SmartFTP Client application can reduce the risk.

Additionally, monitor for updates or patches from the vendor (SmartFTP) that address this denial of service vulnerability and apply them as soon as they become available.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2018-25234. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart