CVE-2019-25614 Overview
CVE-2019-25614 is a buffer overflow vulnerability in Free Float FTP Server 1.0. The flaw resides in the STOR command handler and allows remote attackers to execute arbitrary code on the FTP server. Attackers authenticate using anonymous credentials, then send a crafted STOR request containing 247 bytes of padding followed by a return address and shellcode. The vulnerability is categorized under [CWE-787] (Out-of-bounds Write) and requires no user interaction. The issue affects Free Float FTP Server version 1.0, a legacy FTP product with no available vendor patch.
Critical Impact
Unauthenticated remote attackers can achieve arbitrary code execution on the FTP server using anonymous credentials and a single crafted STOR command.
Affected Products
- Freefloat FTP Server 1.0
- CPE: cpe:2.3:a:freefloat:freefloat_ftp_server:1.0
- Component: freefloat:freefloat_ftp_server
Discovery Timeline
- 2026-03-22 - CVE-2019-25614 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2019-25614
Vulnerability Analysis
The vulnerability is a classic stack-based buffer overflow in the STOR command processing logic of Free Float FTP Server 1.0. When the server receives a STOR request, it copies the filename argument into a fixed-size stack buffer without validating the input length. By supplying 247 bytes of padding followed by a 4-byte return address and shellcode, an attacker overwrites the saved return pointer on the stack and redirects execution into attacker-controlled memory.
The FTP service accepts anonymous authentication by default. This removes any meaningful access barrier before the vulnerable code path is reached. An attacker only needs network reachability to the FTP port to deliver the payload.
The CWE-787 classification confirms the root issue as an out-of-bounds write. Code executes in the security context of the FTP server process, granting attackers the privileges held by that process on the host.
Root Cause
The STOR command handler does not enforce a length check on the filename argument before copying it into a stack-allocated buffer. The absence of bounds validation, combined with the lack of modern exploit mitigations such as stack canaries, Data Execution Prevention (DEP), and Address Space Layout Randomization (ASLR) in the legacy binary, makes return-pointer overwrite straightforward.
Attack Vector
The attack is network-based and requires no privileges. An attacker connects to the FTP service, authenticates anonymously, and sends a STOR command with a filename argument totaling 247 bytes of padding, a return address pointing to a JMP ESP gadget or equivalent, and embedded shellcode. The overflow overwrites the saved return address and transfers execution to the shellcode. Refer to the Exploit-DB #46763 entry and the VulnCheck Advisory on FreeFloat FTP for proof-of-concept details.
Detection Methods for CVE-2019-25614
Indicators of Compromise
- Inbound FTP sessions authenticating with anonymous credentials immediately followed by oversized STOR commands
- STOR command arguments exceeding 200 bytes in length
- FTP server process spawning child processes such as cmd.exe or shell interpreters
- Outbound network connections originating from the FTP server process to unexpected destinations
Detection Strategies
- Inspect FTP traffic at the network layer for STOR commands with abnormally long filename arguments
- Monitor the FreeFloat FTP server process for unexpected memory regions marked as executable
- Alert on any process creation events where the FTP server is the parent process
- Correlate anonymous FTP logins with subsequent process or network anomalies on the same host
Monitoring Recommendations
- Enable verbose FTP command logging and forward logs to a centralized analytics platform for length-based anomaly detection
- Track stack-based exception events and access violations in the FTP server process
- Baseline normal STOR command argument sizes and alert on statistical outliers
How to Mitigate CVE-2019-25614
Immediate Actions Required
- Decommission Free Float FTP Server 1.0 in production environments because the product is unmaintained and no vendor patch exists
- Block inbound TCP/21 access to affected hosts at the perimeter firewall until the service is removed
- Disable anonymous authentication if continued operation is unavoidable during transition
- Migrate FTP workloads to a maintained, modern file transfer solution that supports SFTP or FTPS
Patch Information
No vendor patch is available. Free Float FTP Server 1.0 is an unmaintained product. The only reliable remediation is to remove the software from the environment. Review the VulnCheck Advisory on FreeFloat FTP for guidance.
Workarounds
- Restrict FTP access using host-based firewalls to a narrow allowlist of administrative source IPs
- Place the FTP server behind a VPN or jump host to eliminate direct internet exposure
- Deploy network intrusion prevention signatures that drop FTP STOR commands with arguments longer than a safe threshold
- Run the FTP service under a low-privilege account to limit post-exploitation impact
# Example iptables rule to restrict FTP access to a management subnet
iptables -A INPUT -p tcp --dport 21 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
