CuteFTP 5.0 XP Buffer Overflow via Site Manager Label Field
Description
CuteFTP 5.0 XP contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by injecting malicious payload into the Site Manager label field. Attackers can craft a payload exceeding 520 bytes that overwrites the return address and executes shellcode when a shortcut is created and launched.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CuteFTP 5.0 XP contains a buffer overflow in the Site Manager label field, allowing local attackers to execute arbitrary code by creating and launching a malicious shortcut.
Vulnerability
CuteFTP 5.0 (specifically version 5.0.4 build 54.8.6.1) contains a buffer overflow vulnerability in the Site Manager label field. The field does not properly validate input length, allowing a payload exceeding 520 bytes to overwrite the return address. This affects versions up to and including 5.0.4, as confirmed by the exploit and advisory [1][2].
Exploitation
An attacker with local access can craft a malicious payload (e.g., using the provided Python script) and paste it into the label field of a new site entry in CuteFTP's Site Manager. After creating a shortcut to the site, the attacker renames the shortcut and launches it. This triggers the overflow when CuteFTP processes the label, overwriting the return address and executing provided shellcode. The exploit targets Windows XP SP3 [1].
Impact
Successful exploitation allows arbitrary code execution with the privileges of the user running CuteFTP. The provided shellcode binds a command shell to TCP port 6666, giving the attacker remote access to the system [1].
Mitigation
No official patch has been released for this vulnerability. CuteFTP 5.0 is an outdated product, and the vendor (Globalscape) may no longer support it. Users should upgrade to a supported version of CuteFTP or migrate to alternative FTP clients to mitigate the risk [2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3- www.exploit-db.com/exploits/45259mitreexploit
- www.vulncheck.com/advisories/cuteftp-xp-buffer-overflow-via-site-manager-label-fieldmitrethird-party-advisory
- installer.globalscape.com/pub/cuteftp/archive/english/cuteftp50.exemitreproduct
News mentions
0No linked articles in our index yet.