CVE-2025-4871 – A critical buffer overflow vulnerability in PCM... (How to Fix)

📋 TL;DR

A critical buffer overflow vulnerability in PCMan FTP Server 2.0.7 allows remote attackers to execute arbitrary code or crash the service by sending specially crafted REST commands. This affects all systems running the vulnerable FTP server version. Attackers can exploit this without authentication to potentially gain control of affected systems.

💻 Affected Systems

Products:

PCMan FTP Server

Versions: 2.0.7

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 2.0.7 are vulnerable regardless of configuration

📦 What is this software?

Ftp Server by Pcman

View all CVEs affecting Ftp Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment

🟠

Likely Case

Service crash causing denial of service, with potential for remote code execution by skilled attackers

🟢

If Mitigated

Service disruption only if exploit attempts are blocked by network controls

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-facing instances extremely vulnerable

🏢 Internal Only: MEDIUM - Internal attackers could exploit, but requires network access to FTP service

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available, making exploitation trivial for attackers

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: Yes

Instructions:

1. Check for updated version from vendor (none available as of analysis)
2. If no patch exists, follow workarounds or migrate to alternative FTP server

🔧 Temporary Workarounds

Block REST command at network level

linux

Use firewall or IPS to block REST commands to vulnerable FTP servers

iptables -A INPUT -p tcp --dport 21 -m string --string "REST" --algo bm -j DROP

Disable FTP service

windows

Stop and disable the FTP service until patched

sc stop "PCMan FTP Server"
sc config "PCMan FTP Server" start= disabled

🧯 If You Can't Patch

Replace PCMan FTP Server with alternative secure FTP solution
Isolate vulnerable servers in separate network segment with strict access controls

🔍 How to Verify

Check if Vulnerable:

Check if PCMan FTP Server version 2.0.7 is installed and running on port 21

Check Version:

Check program files directory for PCMan FTP Server and examine version in properties

Verify Fix Applied:

Verify FTP server is no longer version 2.0.7 or service is stopped

📡 Detection & Monitoring

Log Indicators:

Multiple failed REST commands
FTP service crash logs
Unusual buffer overflow errors in FTP logs

Network Indicators:

Excessive REST commands to FTP port 21
Malformed FTP commands with long parameters

SIEM Query:

source="ftp.log" AND (REST AND length>100) OR "buffer overflow"

📊 Metadata

CVE ID: CVE-2025-4871

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-119

EPSS Score: 0.16% exploit probability (36.4th percentile)

Published: May 18, 2025

Last Updated: June 12, 2025

🔗 References

https://github.com/Blu3B3ard/PoC-Pacman-FTP-Server-2.0.7/blob/main/exploit.txt Exploit
https://vuldb.com/?ctiid.309413 Permissions Required,VDB Entry
https://vuldb.com/?id.309413 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.575624 Exploit,Third Party Advisory,VDB Entry
https://github.com/Blu3B3ard/PoC-Pacman-FTP-Server-2.0.7/blob/main/exploit.txt Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4871, you might also want to check these: