CVE-2010-20115 CRITICAL

CVE-2010-20115: Vermillion FTP <= 1.31 Daemon PORT Command Memory Corruption

Vendor Arcane Software
Product Vermillion FTP Daemon
Weakness CWE-787
Published August 21, 2025
Last update May 15, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Arcane Software’s Vermillion FTP Daemon (vftpd) versions up to and including 1.31 contains a memory corruption vulnerability triggered by a malformed FTP PORT command. The flaw arises from an out-of-bounds array access during input parsing, allowing an attacker to manipulate stack memory and potentially execute arbitrary code. Exploitation requires direct access to the FTP service and is constrained by a single execution attempt if the daemon is installed as a Windows service.

Key dates

02Disclosure timeline

August 21, 2025 CVE published
May 15, 2026 Record updated

Related vulnerabilities

04Related CVE