ftpshell CVE Vulnerabilities & Metrics

Focus on ftpshell vulnerabilities and metrics.

Last updated: 16 Apr 2026, 22:25 UTC

About ftpshell Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with ftpshell. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total ftpshell CVEs: 5
Earliest CVE date: 03 Aug 2005, 04:00 UTC
Latest CVE date: 30 Mar 2026, 12:16 UTC

Latest CVE reference: CVE-2018-25226

Rolling Stats

30-day Count (Rolling): 2
365-day Count (Rolling): 2

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical ftpshell CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 5.4

Max CVSS: 10.0

Critical CVEs (≥9): 3

CVSS Range vs. Count

Range	Count
0.0-3.9	3
4.0-6.9	1
7.0-8.9	1
9.0-10.0	3

CVSS Distribution Chart

Top 5 Highest CVSS ftpshell CVEs

These are the five CVEs with the highest CVSS scores for ftpshell, sorted by severity first and recency.

CVE-2018-7573 ftpshell Published on 01 Mar 2018, 17:29 UTC (CVSS: 10.0)
An issue was discovered in FTPShell Client 6.7. A remote FTP server can send 400 characters of 'F' in conjunction with the FTP 220 response code to crash the application; after this overflow, one can run arbitrary code on the victim machine. This is similar to CVE-2009-3364 and CVE-2017-6465.
CVE-2009-3364 ftpshell Published on 24 Sep 2009, 16:30 UTC (CVSS: 9.3)
Stack-based buffer overflow in FTPShell Client 4.1 RC2 allows remote FTP servers to execute arbitrary code via a long response to a PASV command.
CVE-2009-0349 ftpshell Published on 29 Jan 2009, 19:30 UTC (CVSS: 9.3)
Stack-based buffer overflow in FTPShell Server 4.3 allows user-assisted remote attackers to cause a denial of service (persistent daemon crash) and possibly execute arbitrary code via a long string in a licensing key (aka .key) file.
CVE-2017-6465 ftpshell Published on 10 Mar 2017, 01:59 UTC (CVSS: 7.5)
Remote Code Execution was discovered in FTPShell Client 6.53. By default, the client sends a PWD command to the FTP server it is connecting to; however, it doesn't check the response's length, leading to a buffer overflow situation.
CVE-2020-18077 ftpshell Published on 17 Dec 2021, 17:15 UTC (CVSS: 5.0)
A buffer overflow vulnerability in the Virtual Path Mapping component of FTPShell v6.83 allows attackers to cause a denial of service (DoS).

All CVEs for ftpshell

CVE-2018-25226 ftpshell vulnerability CVSS: 0 30 Mar 2026, 12:16 UTC

FTPShell Server 6.83 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the account name field. Attackers can trigger a denial of service by pasting a 417-byte payload into the 'Account name to ban' parameter within the Manage FTP Accounts interface.

CVE-2019-25619 ftpshell vulnerability CVSS: 0 22 Mar 2026, 14:16 UTC

FTP Shell Server 6.83 contains a buffer overflow vulnerability in the 'Account name to ban' field that allows local attackers to execute arbitrary code by supplying a crafted string. Attackers can inject shellcode through the account name parameter in the Manage FTP Accounts dialog to overwrite the return address and execute calc.exe or other commands.

CVE-2020-18077 ftpshell vulnerability CVSS: 5.0 17 Dec 2021, 17:15 UTC

A buffer overflow vulnerability in the Virtual Path Mapping component of FTPShell v6.83 allows attackers to cause a denial of service (DoS).

CVE-2018-7573 ftpshell vulnerability CVSS: 10.0 01 Mar 2018, 17:29 UTC

An issue was discovered in FTPShell Client 6.7. A remote FTP server can send 400 characters of 'F' in conjunction with the FTP 220 response code to crash the application; after this overflow, one can run arbitrary code on the victim machine. This is similar to CVE-2009-3364 and CVE-2017-6465.

CVE-2017-6465 ftpshell vulnerability CVSS: 7.5 10 Mar 2017, 01:59 UTC

Remote Code Execution was discovered in FTPShell Client 6.53. By default, the client sends a PWD command to the FTP server it is connecting to; however, it doesn't check the response's length, leading to a buffer overflow situation.

CVE-2009-3364 ftpshell vulnerability CVSS: 9.3 24 Sep 2009, 16:30 UTC

Stack-based buffer overflow in FTPShell Client 4.1 RC2 allows remote FTP servers to execute arbitrary code via a long response to a PASV command.

CVE-2009-0349 ftpshell vulnerability CVSS: 9.3 29 Jan 2009, 19:30 UTC

Stack-based buffer overflow in FTPShell Server 4.3 allows user-assisted remote attackers to cause a denial of service (persistent daemon crash) and possibly execute arbitrary code via a long string in a licensing key (aka .key) file.

CVE-2005-2426 ftpshell vulnerability CVSS: 2.1 03 Aug 2005, 04:00 UTC

FTPshell Server 3.38 allows remote authenticated users to cause a denial of service (application crash) by multiple connections and disconnections without using the QUIT command.