CVE-2022-22836
published 2022-01-10CVE-2022-22836: CoreFTP Server before 727 allows directory traversal (for file creation) by an authenticated attacker via ../ in an HTTP PUT request.
PriorityP348medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EXPLOIT
EPSS
5.37%
91.6th percentile
CoreFTP Server before 727 allows directory traversal (for file creation) by an authenticated attacker via ../ in an HTTP PUT request.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| coreftp | core_ftp | <= 1.2 | — |
| coreftp | core_ftp | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Wiz
CVE-2019-25654 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2019-25654 [CRITICAL] CVE-2019-25654 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2019-25654 :
CoreFTP Server vulnerability analysis and mitigation
Core FTP/SFTP Server 1.2 contains a buffer overflow vulnerability that allows attackers to crash the service by supplying an excessively long string in the User domain field. Attackers can paste a malicious payload containing 7000 bytes of data into the domain configuration to trigger an application crash and deny service.
Source : NVD
## 8.7
Score
Published March 30, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
CoreFTP Server
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:coreftp:core_ftp
Sources
Windows Severity HIG
Wiz
CVE-2019-25686 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2019-25686 [CRITICAL] CVE-2019-25686 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2019-25686 :
CoreFTP Server vulnerability analysis and mitigation
Core FTP 2.0 build 653 contains a denial of service vulnerability in the PBSZ command that allows unauthenticated attackers to crash the service by sending a malformed command with an oversized buffer. Attackers can send a PBSZ command with a payload exceeding 211 bytes to trigger an access violation and crash the FTP server process.
Source : NVD
## 8.7
Score
Published April 5, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
CoreFTP Server
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:coreftp:core_ftp
Sources
NVD
Win
2022-01-10
Published