cbcvebase.
CVE-2016-5764
published 2016-10-27

CVE-2016-5764: Micro Focus Rumba FTP 4.X client buffer overflow makes it possible to corrupt the stack and allow arbitrary code execution. Fixed in: Rumba FTP 4.5 (HF 14668)…

PriorityP261high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
7.76%
93.9th percentile
Micro Focus Rumba FTP 4.X client buffer overflow makes it possible to corrupt the stack and allow arbitrary code execution. Fixed in: Rumba FTP 4.5 (HF 14668). This can only occur if a client connects to a malicious server.

Affected

6 ranges
VendorProductVersion rangeFixed in
microfocusrumba_ftp
microfocusrumba_ftp
microfocusrumba_ftp
microfocusrumba_ftp
microfocusrumba_ftp
microfocusrumba_ftp

Detection & IOCsextracted from sources · hover to see the quote

command257 "/" + "A"*629 + "\x45\x45\x45\x45" + "\x44\x44\x44\x44" + "D"*185 + "rrrr" + "D"*211
command257 PWD response with oversized directory name (629+ bytes)
bytes
\x45\x45\x45\x45\x44\x44\x44\x44
  • Detect oversized FTP PWD (257) responses: a 257 response with a directory name exceeding ~629 bytes is the trigger for the stack buffer overflow in Rumba FTP 4.x client.
  • Monitor FTP clients connecting to port 21 on untrusted/external hosts; the exploit requires the Rumba FTP client to initiate a connection to a malicious server — lateral movement or phishing scenarios may precede exploitation.
  • Detect SEH-based stack overflow pattern: look for FTP 257 responses containing the byte sequence 0x45454545 (EEEE) followed by 0x44444444 (DDDD) within the quoted directory name field, indicative of SEH/NSEH overwrite.
  • Flag Rumba FTP client processes (version 4.x, pre-HF 14668) making outbound FTP connections; process-level monitoring for the Rumba FTP client binary connecting to external IPs on port 21 should trigger investigation.
  • ·The exploit is client-side only — the vulnerable Rumba FTP client must actively connect to the attacker-controlled server; the server itself is not directly exploitable.
  • ·The PoC was tested only on Windows 7; exploit reliability on other Windows versions may vary due to differing ASLR/SafeSEH module layouts.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.