Login Sign Up

CVE-2025-4238

7.3 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

CVE-2025-4238 is a critical buffer overflow vulnerability in PCMan FTP Server 2.0.7's MGET command handler that allows remote attackers to execute arbitrary code or crash the service. This affects anyone running the vulnerable FTP server version. The exploit is publicly available, making attacks highly likely.

💻 Affected Systems

Products:
  • PCMan FTP Server
Versions: 2.0.7
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the specific version 2.0.7; earlier/later versions may not be vulnerable.

📦 What is this software?

Ftp Server by Pcman

View all CVEs affecting Ftp Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Service disruption through denial of service or limited code execution depending on exploit sophistication.

🟢

If Mitigated

Limited impact if proper network segmentation and exploit prevention controls are in place.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-facing instances immediate targets.
🏢 Internal Only: MEDIUM - Internal attackers could exploit, but requires network access to the FTP server.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code exists, making attacks straightforward for threat actors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Disable MGET command

windows

Restrict or disable the vulnerable MGET command handler in FTP server configuration.

# Configuration depends on FTP server settings; check documentation for command restrictions

Network segmentation

windows

Isolate FTP server from critical networks and restrict access to trusted IPs only.

# Use firewall rules: netsh advfirewall firewall add rule name="Block FTP" dir=in action=block protocol=TCP localport=21

🧯 If You Can't Patch

  • Replace PCMan FTP Server with a maintained alternative like FileZilla Server or vsftpd.
  • Implement application control to prevent execution of suspicious payloads on the host.

🔍 How to Verify

Check if Vulnerable:

Check FTP server version in interface or configuration files; if version is 2.0.7, it is vulnerable.

Check Version:

# Check program version in Windows: wmic product where name="PCMan FTP Server" get version

Verify Fix Applied:

Verify version is no longer 2.0.7 or test with exploit PoC in a controlled environment.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed MGET commands
  • Unusual buffer overflow errors in FTP logs
  • Abnormal process crashes

Network Indicators:

  • Excessive MGET commands from single source
  • Malformed FTP packets targeting port 21

SIEM Query:

source="ftp.log" AND (command="MGET" OR error="buffer")

📊 Metadata

CVE ID: CVE-2025-4238
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-119
EPSS Score: 0.21% exploit probability (43.5th percentile)
Published: May 3, 2025
Last Updated: May 16, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4238, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)