Login Sign Up

CVE-2025-4251

7.3 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

A critical buffer overflow vulnerability in PCMan FTP Server 2.0.7 allows remote attackers to execute arbitrary code or crash the service by sending specially crafted RMDIR commands. This affects all systems running the vulnerable FTP server version. The exploit is publicly available and can be triggered without authentication.

💻 Affected Systems

Products:
  • PCMan FTP Server
Versions: 2.0.7
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the RMDIR command handler component. All default installations are vulnerable.

📦 What is this software?

Ftp Server by Pcman

View all CVEs affecting Ftp Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with SYSTEM/root privileges leading to complete system compromise, data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Service crash causing denial of service, or successful remote code execution leading to malware installation and lateral movement.

🟢

If Mitigated

Service crash only if exploit fails, with minimal impact due to network segmentation and limited service privileges.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code is available. Attack requires only network access to FTP port (default 21).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative FTP server software or implementing workarounds.

🔧 Temporary Workarounds

Disable RMDIR command via FTP server configuration

windows

Configure PCMan FTP Server to reject or disable RMDIR commands entirely.

Edit server configuration file to remove RMDIR command support

Network segmentation and firewall rules

windows

Restrict access to FTP server to trusted IP addresses only.

netsh advfirewall firewall add rule name="Block FTP Except Trusted" dir=in action=block protocol=TCP localport=21 remoteip=!192.168.1.0/24,10.0.0.0/8 enable=yes

🧯 If You Can't Patch

  • Replace PCMan FTP Server with alternative software like FileZilla Server, vsftpd, or IIS FTP
  • Implement strict network segmentation and firewall rules to limit FTP server exposure

🔍 How to Verify

Check if Vulnerable:

Check PCMan FTP Server version in interface or configuration files. If version is 2.0.7, system is vulnerable.

Check Version:

Check PCMan FTP Server GUI or configuration files for version information

Verify Fix Applied:

Verify PCMan FTP Server is no longer running or has been replaced with alternative software.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed RMDIR commands
  • Unusual long RMDIR command parameters
  • FTP service crash logs

Network Indicators:

  • Excessive RMDIR commands to FTP port 21
  • Malformed FTP commands with buffer overflow patterns

SIEM Query:

source="ftp.log" AND command="RMDIR" AND (parameter_length>100 OR contains(parameter, "\x90"))

📊 Metadata

CVE ID: CVE-2025-4251
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-119
EPSS Score: 0.21% exploit probability (43.5th percentile)
Published: May 4, 2025
Last Updated: May 16, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4251, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)