CVE-2024-46483

CRITICAL

Xlight FTP Server <3.9.4.3 - Buffer Overflow

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-46483. PoCs published by kn32.

AI-analyzed exploit summary This PoC exploits a pre-authentication heap overflow in Xlight SFTP server by crafting a malicious string length during the SSH handshake, leading to an out-of-bounds write on 32-bit systems or a denial-of-service on 64-bit systems. The exploit patches Paramiko to send a manipulated string length, triggering the vulnerability.

Description

Xlight FTP Server <3.9.4.3 has an integer overflow vulnerability in the packet parsing logic of the SFTP server, which can lead to a heap overflow with attacker-controlled content.

Exploits (1)

nomisec WORKING POC 12 stars

by kn32 · poc

https://github.com/kn32/cve-2024-46483

View Code ZIP pw:eip

This PoC exploits a pre-authentication heap overflow in Xlight SFTP server by crafting a malicious string length during the SSH handshake, leading to an out-of-bounds write on 32-bit systems or a denial-of-service on 64-bit systems. The exploit patches Paramiko to send a manipulated string length, triggering the vulnerability.

Classification

Working Poc 95%

Attack Type

Rce | Dos

Complexity

Moderate

Reliability

Reliable

Target: Xlight SFTP server <= 3.9.4.2

No auth needed

Prerequisites: Network access to the Xlight SFTP server · Paramiko library installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Various Sources

https://github.com/kn32/cve-2024-46483

Scores

CVSS v3 9.8

EPSS 0.0112

EPSS Percentile 61.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-190

Status published

Published Oct 22, 2024

Tracked Since Feb 18, 2026