CVE-2025-14242
📋 TL;DR
This vulnerability in vsftpd allows a remote authenticated attacker to cause a denial of service (DoS) by sending a specially crafted STAT command that triggers an integer overflow during ls command parameter parsing. The flaw can crash the vsftpd service, disrupting FTP operations. Systems running vulnerable versions of vsftpd with authenticated user access are affected.
💻 Affected Systems
- vsftpd
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of vsftpd, requiring manual restart and potentially causing extended FTP service downtime.
Likely Case
Temporary service crash affecting FTP availability until the service is restarted.
If Mitigated
Minimal impact if proper network segmentation and authentication controls limit access to trusted users only.
🎯 Exploit Status
Exploitation requires valid user credentials; no public exploit code identified in references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check specific Red Hat advisories (RHSA-2026:0605, RHSA-2026:0606, RHSA-2026:0608) for patched versions.
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-14242
Restart Required: Yes
Instructions:
1. Update vsftpd using your distribution's package manager (e.g., 'yum update vsftpd' on RHEL). 2. Restart the vsftpd service (e.g., 'systemctl restart vsftpd'). 3. Verify the update with 'rpm -q vsftpd' or equivalent.
🔧 Temporary Workarounds
Restrict FTP Access
linuxLimit vsftpd access to trusted IP addresses using firewall rules or vsftpd configuration.
iptables -A INPUT -p tcp --dport 21 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j DROP
Disable STAT Command
linuxConfigure vsftpd to reject STAT commands if not required for functionality.
Add 'cmds_denied=STAT' to vsftpd.conf
🧯 If You Can't Patch
- Implement strict network access controls to limit FTP access to essential users only.
- Monitor vsftpd logs for unusual STAT command patterns and set up alerts for service crashes.
🔍 How to Verify
Check if Vulnerable:
Check vsftpd version against Red Hat advisories; examine if STAT command processing is enabled.Check Version:
rpm -q vsftpd # On RHEL-based systemsVerify Fix Applied:
Confirm vsftpd version is updated per vendor advisories and test STAT command functionality.📡 Detection & Monitoring
Log Indicators:
- vsftpd service crashes or restarts
- Unusual STAT command patterns in vsftpd logs
Network Indicators:
- Multiple STAT commands from single source in short time
SIEM Query:
source="vsftpd" AND (STAT OR crash)