CVE-2025-14242 Red Hat CVE debrief

Who should care

System administrators and security teams responsible for vsftpd installations should be aware of this vulnerability. Given the medium severity and potential for denial of service, organizations using vsftpd should assess their exposure and prioritize patching. Redhat users may find specific guidance in the provided errata links.

Technical summary

The vulnerability is caused by an integer overflow in the ls command parameter parsing of vsftpd. A remote, authenticated attacker can exploit this by sending a crafted STAT command with a specific byte sequence, leading to a denial of service (DoS). The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a network attack vector with low attack complexity and privileges required. The weakness is classified under CWE-190, Integer Overflow.

Defensive priority

Apply patches or updates provided by the vendor to address the integer overflow vulnerability in vsftpd. Review and implement compensating controls, such as monitoring and access restrictions, to mitigate potential impacts until patching can be completed.

Recommended defensive actions

• Apply vendor patches or updates for vsftpd to fix the integer overflow vulnerability.
• Review and restrict access to vsftpd services, especially for authenticated users.
• Monitor vsftpd logs and network traffic for suspicious activity.
• Implement additional security controls, such as network segmentation and access controls.
• Consider temporarily disabling STAT command functionality if patching is not immediately feasible.

Evidence notes

The CVE record and details are sourced from the official CVE.org and NVD databases. Additional information and potential patches are referenced from Redhat's security advisories and bugzilla entries. The vendor is listed as Unknown Vendor, but evidence from Redhat suggests a potential connection. The CVSS score and vector are provided, along with CWE classification.

Official resources