CVE-2019-25587
Received Received - Intake
Denial of Service via Buffer Overflow in BulletProof FTP Server

Publication date: 2026-03-22

Last updated on: 2026-03-25

Assigner: VulnCheck

Description
BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the Storage-Path configuration parameter that allows local attackers to crash the application by supplying an excessively long string value. Attackers can enable the Override Storage-Path setting and paste a buffer of 500 bytes or more to trigger an application crash when saving the configuration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-22
Last Modified
2026-03-25
Generated
2026-06-16
AI Q&A
2026-03-22
EPSS Evaluated
2026-06-14
NVD
CVE-2019-25587
EUVD
EUVD-2019-19916
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bpftpserver bulletproof_ftp_server 2019.0.0.50
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1282 Immutable data, such as a first-stage bootloader, device identifiers, and "write-once" configuration settings are stored in writable memory that can be re-programmed or updated in the field.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2019-25587 is a denial of service (DoS) vulnerability in BulletProof FTP Server version 2019.0.0.50. It occurs due to improper input validation in the Storage-Path configuration parameter. A local attacker can enable the "Override Storage-Path" setting and input an excessively long string (500 bytes or more), which causes the application to crash when saving the configuration.'}, {'type': 'paragraph', 'content': 'This vulnerability exploits the fact that the server does not properly handle very long strings in the storage path setting, leading to a crash and disruption of service.'}] [1, 2]

Impact Analysis

This vulnerability can impact you by causing a denial of service condition on the BulletProof FTP Server. An attacker with local access can crash the FTP server application by supplying a long string in the storage path configuration, making the server unavailable to legitimate users.

The impact is primarily on availability, as the server stops functioning properly until it is restarted or the configuration is corrected.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to reproduce the denial of service condition on the BulletProof FTP Server 2019.0.0.50 by using a proof-of-concept exploit.'}, {'type': 'list_item', 'content': "Run the Python script `BulletProof_Storage_Server_2019.0.0.50.py` to generate a payload file named `bullet_storage.txt` containing 500 'A' characters."}, {'type': 'list_item', 'content': 'Copy the contents of `bullet_storage.txt` to the clipboard.'}, {'type': 'list_item', 'content': "Open BulletProof FTP Server, navigate to Settings > Advanced, enable the 'Override Storage-Path' setting, and paste the clipboard content."}, {'type': 'list_item', 'content': 'Save the configuration; if the server crashes, the vulnerability is present.'}] [1]

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25587. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart