CVE-2025-4161 Overview
CVE-2025-4161 is a buffer overflow vulnerability in PCMan FTP Server through version 2.0.7. The flaw resides in the VERBOSE command handler, where unbounded input handling allows attackers to corrupt memory. Remote attackers can trigger the condition over the network without authentication or user interaction. The exploit has been publicly disclosed, increasing the risk of opportunistic attacks against exposed FTP services. The vulnerability is categorized under [CWE-119], improper restriction of operations within the bounds of a memory buffer.
Critical Impact
Remote unauthenticated attackers can trigger a buffer overflow through the VERBOSE FTP command, potentially leading to service disruption or arbitrary code execution on hosts running PCMan FTP Server 2.0.7 and earlier.
Affected Products
- PCMan FTP Server versions up to and including 2.0.7
- Deployments exposing the FTP service on TCP port 21
- Legacy Windows hosts running unmaintained PCMan FTP installations
Discovery Timeline
- 2025-05-01 - CVE-2025-4161 published to NVD
- 2025-06-24 - Last updated in NVD database
Technical Details for CVE-2025-4161
Vulnerability Analysis
The vulnerability stems from the VERBOSE command handler in PCMan FTP Server failing to validate the length of attacker-supplied input. When an oversized argument is passed to the VERBOSE command, the server copies the data into a fixed-size stack buffer without performing bounds checking. This overwrites adjacent stack memory, including saved return addresses and structured exception handler (SEH) records.
PCMan FTP Server is a legacy Windows FTP application that has been the subject of multiple buffer overflow disclosures over the years. The product is no longer actively maintained, which means no vendor patch is expected for this issue. The exploit chain follows a pattern familiar to memory corruption vulnerabilities in legacy FTP daemons compiled without modern mitigations such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).
With an EPSS score of 0.479% the likelihood of broad exploitation is moderate, though public exploit code lowers the barrier for opportunistic attackers.
Root Cause
The root cause is missing length validation in the VERBOSE command parser. The handler accepts variable-length user input but writes it into a fixed-size buffer using unsafe string operations. This classic stack-based buffer overflow pattern matches [CWE-119].
Attack Vector
An attacker connects to the FTP service on TCP port 21 and issues the VERBOSE command with an overly long argument. No credentials are required if anonymous access is enabled, and post-authentication exploitation is possible when login is required. The malformed command triggers stack corruption that can lead to denial of service or arbitrary code execution under the privileges of the FTP server process.
The vulnerability mechanism is publicly documented in the exploit report hosted at Fitoxs Exploit Report and tracked through VulDB #306693. No verified patch or vendor advisory exists for this issue.
Detection Methods for CVE-2025-4161
Indicators of Compromise
- Unusually long argument strings following the VERBOSE FTP command in network captures or FTP server logs
- Crashes or unexpected restarts of the PCMan FTP Server process (PCManFTPD2.exe)
- Outbound connections from the FTP server host to unexpected IP addresses following malformed FTP traffic
- New or modified executables in directories writable by the FTP service account
Detection Strategies
- Inspect FTP traffic for command arguments exceeding typical lengths, particularly on the VERBOSE verb
- Correlate FTP server process crashes with preceding network traffic to identify exploitation attempts
- Deploy network intrusion detection signatures targeting oversized FTP command parameters
- Hunt for child processes spawned by PCManFTPD2.exe, which is anomalous for a standard FTP daemon
Monitoring Recommendations
- Forward FTP server logs and Windows Event Logs to a central SIEM for retention and analysis
- Alert on Application Error events referencing the PCMan FTP Server binary
- Monitor TCP port 21 ingress traffic on hosts running legacy FTP services and baseline normal command patterns
How to Mitigate CVE-2025-4161
Immediate Actions Required
- Decommission PCMan FTP Server installations, as the product is unmaintained and no vendor fix is available
- Block inbound TCP port 21 at perimeter firewalls if the FTP service must remain online during migration
- Restrict access to the FTP service using IP allowlists limited to known administrative hosts
- Disable anonymous FTP access to reduce the unauthenticated attack surface
Patch Information
No vendor patch is available for CVE-2025-4161. PCMan FTP Server is legacy software and the vendor has not published a security advisory addressing this issue. Organizations should migrate to a maintained FTP or SFTP server such as FileZilla Server, vsftpd, or OpenSSH SFTP.
Workarounds
- Replace PCMan FTP Server with a maintained, actively supported alternative that uses SFTP or FTPS
- Place the FTP service behind a VPN or jump host to eliminate direct internet exposure
- Run the FTP service under a low-privilege account to limit the impact of successful exploitation
- Enable host-based exploit mitigations such as DEP and ASLR system-wide on Windows hosts running legacy software
# Example: block inbound FTP at the Windows firewall as an interim control
netsh advfirewall firewall add rule name="Block Inbound FTP" dir=in action=block protocol=TCP localport=21
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
