A critical buffer overflow vulnerability in Free Float FTP 1.0 allows remote attackers to execute arbitrary code with the privileges of the FTP service.

This is a stack-based buffer overflow vulnerability residing in the STOR command handler. An attacker can authenticate using anonymous credentials and send a malicious STOR request containing 247 bytes of padding followed by a return address and shellcode to hijack the execution flow.

The impact of this vulnerability is severe, as it allows for Remote Code Execution (RCE) on the host server. An attacker gaining code execution can move laterally through the network, steal sensitive data, or deploy ransomware. The CVSS score of 9.8 reflects the ease of exploitation (anonymous access) and the total loss of system confidentiality, integrity, and availability.

Immediate Action: Discontinue the use of Free Float FTP 1.0 immediately and migrate to a modern, supported FTP or SFTP solution, as this software is legacy and highly insecure.

Proactive Monitoring: Monitor network traffic for oversized FTP STOR commands and review server logs for unexpected service crashes or unauthorized shell activity.

Compensating Controls: If immediate decommissioning is not possible, restrict FTP access to known IP addresses via a firewall and disable anonymous authentication.

Public Exploit Available: true

Given that Free Float FTP 1.0 is an obsolete product with known public exploits, the only viable recommendation is to replace it immediately. The presence of a 9.8 CVSS score and public exploit code makes this a high-priority target for attackers.