CVE-2019-25619

FTP Shell Server 6.83 contains a buffer overflow vulnerability in the 'Account name to ban' field that allows local attackers to execute arbitrary code by supplying a crafted string. Attackers can inject shellcode through the account name parameter in the Manage FTP Accounts dialog to overwrite the return address and execute calc.exe or other commands.

CVSS v3 8.4 HIGH

8.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.5 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://www.ftpshell.com/index.htm	Product
https://www.exploit-db.com/exploits/46685	Exploit Third Party Advisory VDB Entry
https://www.vulncheck.com/advisories/ftp-shell-server-buffer-overflow-via-account-name	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ftpshell:ftpshell_server:6.83:*:*:*:*:*:*:*

History

03 Apr 2026, 14:33

Type	Values Removed	Values Added
References	~~() http://www.ftpshell.com/index.htm -~~	() http://www.ftpshell.com/index.htm - Product
References	~~() https://www.exploit-db.com/exploits/46685 -~~	() https://www.exploit-db.com/exploits/46685 - Exploit, Third Party Advisory, VDB Entry
References	~~() https://www.vulncheck.com/advisories/ftp-shell-server-buffer-overflow-via-account-name -~~	() https://www.vulncheck.com/advisories/ftp-shell-server-buffer-overflow-via-account-name - Third Party Advisory
Summary		(es) FTP Shell Server 6.83 contiene una vulnerabilidad de desbordamiento de búfer en el campo 'Account name to ban' que permite a atacantes locales ejecutar código arbitrario al proporcionar una cadena manipulada. Los atacantes pueden inyectar shellcode a través del parámetro de nombre de cuenta en el diálogo Manage FTP Accounts para sobrescribir la dirección de retorno y ejecutar calc.exe u otros comandos.
First Time		Ftpshell Ftpshell ftpshell Server
CPE		cpe:2.3:a:ftpshell:ftpshell_server:6.83:::::::*

22 Mar 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-22 14:16

Updated : 2026-04-03 14:33

NVD link : CVE-2019-25619

Mitre link : CVE-2019-25619

CVE.ORG link : CVE-2019-25619

JSON object : View

Products Affected

ftpshell

ftpshell_server

CWE

CWE-787

Out-of-bounds Write

{"id": "CVE-2019-25619", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.5}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-22T14:16:30.873", "references": [{"url": "http://www.ftpshell.com/index.htm", "tags": ["Product"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.exploit-db.com/exploits/46685", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/ftp-shell-server-buffer-overflow-via-account-name", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "FTP Shell Server 6.83 contains a buffer overflow vulnerability in the 'Account name to ban' field that allows local attackers to execute arbitrary code by supplying a crafted string. Attackers can inject shellcode through the account name parameter in the Manage FTP Accounts dialog to overwrite the return address and execute calc.exe or other commands."}, {"lang": "es", "value": "FTP Shell Server 6.83 contiene una vulnerabilidad de desbordamiento de b\u00fafer en el campo 'Account name to ban' que permite a atacantes locales ejecutar c\u00f3digo arbitrario al proporcionar una cadena manipulada. Los atacantes pueden inyectar shellcode a trav\u00e9s del par\u00e1metro de nombre de cuenta en el di\u00e1logo Manage FTP Accounts para sobrescribir la direcci\u00f3n de retorno y ejecutar calc.exe u otros comandos."}], "lastModified": "2026-04-03T14:33:32.480", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ftpshell:ftpshell_server:6.83:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B1CA14F8-D487-4555-B050-50FCED850F9A"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}