CVE-2025-5331 – A critical buffer overflow vulnerability in PCM... (How to Fix)

Q: What is the severity of CVE-2025-5331?

CVE-2025-5331 has a CVSS score of 7.3 (HIGH). A critical buffer overflow vulnerability in PCMan FTP Server 2.0.7 allows remote attackers to execute arbitrary code or crash the service by sending specially crafted NLST commands. This affects all systems running the vulnerable FTP server version. Attackers can exploit this without authentication to potentially gain control of affected systems.

📋 TL;DR

A critical buffer overflow vulnerability in PCMan FTP Server 2.0.7 allows remote attackers to execute arbitrary code or crash the service by sending specially crafted NLST commands. This affects all systems running the vulnerable FTP server version. Attackers can exploit this without authentication to potentially gain control of affected systems.

💻 Affected Systems

Products:

PCMan FTP Server

Versions: 2.0.7

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability is in the NLST command handler component and affects default installations. No special configuration is required for exploitation.

📦 What is this software?

Pcman Ftp Server by Pcman Ftp Server Project

View all CVEs affecting Pcman Ftp Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Service crash causing denial of service, with potential for remote code execution by skilled attackers using the public exploit.

🟢

If Mitigated

Service disruption or crash without code execution if exploit fails or protections like ASLR/DEP are effective.

🌐 Internet-Facing: HIGH - Remote unauthenticated exploit with public proof-of-concept makes internet-facing instances prime targets.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires network access to FTP service.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available on GitHub, making this easily weaponizable. The buffer overflow in NLST command handler can be triggered remotely without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch is available. Consider upgrading to a different FTP server solution or implementing workarounds.

🔧 Temporary Workarounds

Disable FTP Service

windows

Completely disable PCMan FTP Server if not required for operations.

net stop "PCMan FTP Server"
sc config "PCMan FTP Server" start= disabled

Network Segmentation

windows

Restrict access to FTP service using firewall rules to only trusted IP addresses.

netsh advfirewall firewall add rule name="Block PCMan FTP" dir=in action=block protocol=TCP localport=21
netsh advfirewall firewall add rule name="Allow PCMan FTP Trusted" dir=in action=allow protocol=TCP localport=21 remoteip=192.168.1.0/24

🧯 If You Can't Patch

Implement strict network access controls to limit FTP service exposure to only necessary clients.
Monitor for exploitation attempts using the detection indicators and have incident response procedures ready.

🔍 How to Verify

Check if Vulnerable:

Check if PCMan FTP Server 2.0.7 is installed and running on port 21 (default). Use 'netstat -ano | findstr :21' to check for listening FTP service.

Check Version:

Check program files directory for PCMan FTP Server version or examine installed programs in Control Panel.

Verify Fix Applied:

Verify the service is stopped or disabled, or that firewall rules are blocking/restricting access to port 21.

📡 Detection & Monitoring

Log Indicators:

Multiple failed NLST commands
Unusually large NLST command parameters
FTP service crash logs

Network Indicators:

Excessive or malformed NLST commands to FTP port 21
Traffic patterns matching the public exploit

SIEM Query:

source="ftp.log" AND (command="NLST" AND size>1000) OR (event="crash" AND service="PCMan FTP")

📊 Metadata

CVE ID: CVE-2025-5331

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-119

EPSS Score: 0.14% exploit probability (34.1th percentile)

Published: May 29, 2025

Last Updated: June 23, 2025

🔗 References

https://github.com/r3ng4f/PCMan_1/blob/main/exploit02.txt Exploit
https://vuldb.com/?ctiid.310504 Permissions Required,VDB Entry
https://vuldb.com/?id.310504 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.585404 Third Party Advisory,VDB Entry
https://github.com/r3ng4f/PCMan_1/blob/main/exploit02.txt Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5331, you might also want to check these: