cbcvebase.
CVE-2025-5548
published 2025-06-04

CVE-2025-5548: A vulnerability, which was classified as critical, was found in FreeFloat FTP Server 1.0. Affected is an unknown function of the component NOOP Command…

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
10.14%
95.1th percentile
A vulnerability, which was classified as critical, was found in FreeFloat FTP Server 1.0. Affected is an unknown function of the component NOOP Command Handler. The manipulation leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Affected

2 ranges
VendorProductVersion rangeFixed in
freefloatfreefloat_ftp_server
freefloatftp_server

Detection & IOCsextracted from sources · hover to see the quote

versionFreeFloat FTP Server 1.0
other0x7C86467B (JMP ESP) Kernel32.dll
commandNOOP <payload>
bytes
\xda\xd4\xbb\x4e\xd9\xfd\x96\xd9\x74\x24\xf4\x58\x2b\xc9
  • Buffer overflow is triggered via the FTP NOOP command; monitor for abnormally large NOOP command arguments (>246 bytes) sent to FTP port 21.
  • EIP is overwritten with JMP ESP gadget at 0x7C86467B from Kernel32.dll on Windows XP SP3; presence of this address in network traffic targeting FTP port 21 is a strong exploit indicator.
  • Exploit authenticates anonymously before sending the malicious NOOP payload; correlate anonymous FTP logins followed immediately by a large NOOP command.
  • Shellcode is a windows/shell_reverse_tcp payload; monitor for outbound TCP connections from the FTP server process (especially to port 4444) following receipt of a large NOOP command.
  • Bad characters for this exploit are \x00, \x0a, \x0d; shellcode in the NOOP payload will not contain null bytes, newlines, or carriage returns — useful for payload heuristic filtering.
  • ·The JMP ESP ROP gadget address (0x7C86467B) is specific to Kernel32.dll on Windows XP SP3 English (Build 2600); the exploit will not work as-is on other OS versions or patch levels.
  • ·The reverse shell callback IP (192.168.232.129) and listener port (4444) are attacker-controlled and will vary per deployment; treat these as example values only.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.