CVE-2020-37107

HIGH

Core FTP LE 2.2 - Denial of Service via Account Field Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37107. PoCs published by Ismael Nava.

AI-analyzed exploit summary This exploit triggers a denial of service in Core FTP LE 2.2 by overwriting the 'Account' field with a large buffer (20,000 'R' characters), causing the application to crash and require reinstallation.

Description

Core FTP LE 2.2 contains a denial of service vulnerability that allows attackers to crash the application by overwriting the account field with a large buffer. Attackers can create a text file with 20,000 repeated characters and paste it into the account field to cause the application to become unresponsive and require reinstallation.

Exploits (1)

exploitdb WORKING POC
by Ismael Nava · pythondoswindows
https://www.exploit-db.com/exploits/48137

This exploit triggers a denial of service in Core FTP LE 2.2 by overwriting the 'Account' field with a large buffer (20,000 'R' characters), causing the application to crash and require reinstallation.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Core FTP LE 2.2 build 1947
No auth needed
Prerequisites: Core FTP LE 2.2 installed · User interaction to paste malicious input
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/48137
Various Sources product
http://www.coreftp.com/
Various Sources product
http://www.coreftp.com/download.html
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/core-ftp-le-denial-of-service

Scores

CVSS v3 7.5
EPSS 0.0037
EPSS Percentile 28.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-120
Status published
Products (1)
Core FTP/Core FTP LE 2.2 build 1947
Published Feb 07, 2026
Tracked Since Feb 18, 2026