CVE-2020-19596 – A buffer overflow vulnerability in Core FTP Ser... (How to Fix)

Q: What is the severity of CVE-2020-19596?

CVE-2020-19596 has a CVSS score of 9.8 (CRITICAL). A buffer overflow vulnerability in Core FTP Server allows remote attackers to execute arbitrary code by sending a specially crafted username. This affects all systems running Core FTP Server version 1.2 Build 583, potentially leading to complete system compromise.

📋 TL;DR

A buffer overflow vulnerability in Core FTP Server allows remote attackers to execute arbitrary code by sending a specially crafted username. This affects all systems running Core FTP Server version 1.2 Build 583, potentially leading to complete system compromise.

💻 Affected Systems

Products:

Core FTP Server

Versions: 1.2 Build 583

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of this specific build are vulnerable. The vulnerability is in the authentication component.

📦 What is this software?

Core Ftp by Coreftp

View all CVEs affecting Core Ftp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with SYSTEM/root privileges leading to complete server takeover, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Remote code execution leading to server compromise, installation of backdoors, and credential theft.

🟢

If Mitigated

Denial of service or application crash if exploit fails or controls prevent code execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available and the vulnerability requires no authentication to trigger.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2 Build 584 or later

Vendor Advisory: https://www.coreftp.com/forums/viewtopic.php?t=4022986

Restart Required: Yes

Instructions:

1. Download latest version from coreftp.com 2. Stop Core FTP Server service 3. Install update 4. Restart service

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to FTP server to trusted IP addresses only

Use firewall rules to allow only specific source IPs to port 21

Disable Anonymous Authentication

windows

Require authenticated users only

In Core FTP Server settings, disable anonymous login

🧯 If You Can't Patch

Immediately isolate the server from internet access
Implement strict network segmentation and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Core FTP Server version in About dialog or registry: HKEY_LOCAL_MACHINE\SOFTWARE\CoreFTP\Server\Version

Check Version:

reg query "HKLM\SOFTWARE\CoreFTP\Server" /v Version

Verify Fix Applied:

Verify version is 1.2 Build 584 or higher and test with known exploit payloads

📡 Detection & Monitoring

Log Indicators:

Failed login attempts with unusually long usernames
Server crash/restart events in application logs

Network Indicators:

FTP connections with username fields exceeding normal length
Multiple failed authentication attempts from single source

SIEM Query:

source="CoreFTP" AND (event="authentication_failed" AND username_length>100) OR event="service_crash"

📊 Metadata

CVE ID: CVE-2020-19596

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: April 5, 2021

Last Updated: November 21, 2024

🔗 References

https://www.0x90.zone/binary/reverse/exploitation/2020/08/16/CoreFTPServerRCE.html Exploit,Third Party Advisory
https://www.0x90.zone/binary/reverse/exploitation/2020/08/16/CoreFTPServerRCE.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-19596, you might also want to check these: