External risk intelligence

Windows FTP Service Heap Overflow Allows Network Code Execution.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-49172

The vulnerability affects a Windows FTP Service. FTP is a standard protocol designed for network-based file transfers and is commonly deployed as an internet-facing service or edge-reachable gateway to facilitate remote data access.

Buffer Overflow

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability exists in the Windows FTP Service, which could allow an unauthorized attacker to execute code remotely over a network. This is a serious issue due to its potential for widespread impact.

  • A flaw in Windows FTP allows remote code execution.
  • Attackers can run unauthorized code over the network.
  • Confirm if your systems use Windows FTP Service.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted FTP requests over the network to a vulnerable Windows FTP Service. This access doesn't require any special privileges or user interaction. Successful exploitation could allow the attacker to execute arbitrary code on the affected system.

  • Network access required.
  • Triggered by specially crafted FTP requests.
  • Risk of arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

An attacker could execute code remotely over a network by exploiting a heap-based buffer overflow in the Windows FTP Service. This could allow an unauthorized user to compromise the integrity and availability of the affected system.

  • System integrity and availability.
  • Remote code execution over network.
  • Unauthorized code execution and system compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Windows FTP Service vulnerability requires immediate attention from infrastructure and platform teams responsible for managing Windows servers. The first practical step is to identify all instances of the affected FTP service, confirm its network exposure and business criticality, and then assign ownership for remediation planning.

  • Infrastructure and platform teams should own this.
  • Verify FTP service exposure and business criticality.
  • Plan remediation based on risk assessment.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Windows FTP Service?

The Windows FTP Service is a built-in component of the Windows operating system that enables the transfer of files between a client and a server using the File Transfer Protocol. It is commonly used by organizations to provide remote access to data stores, host file repositories, or facilitate automated backend system communications over a network.

What does CWE-122 mean for CVE-2026-49172?

CWE-122 refers to a heap-based buffer overflow. In plain terms, this means the software attempts to write more data into a reserved area of memory, known as the heap, than it can actually hold. Because the software fails to properly check the size of incoming data, an attacker can overwrite adjacent memory, which may allow them to inject and run their own unauthorized instructions on the server.

How is this vulnerability triggered?

An attacker triggers this flaw by sending specially crafted FTP requests to a target server. This does not require any existing login credentials or help from a local user. Notably, simply connecting to the service without sending these specific malicious requests will not trigger the bug; it requires the processing of the malformed data packet to cause the memory overflow.

Why is this CVE considered high risk?

Halo Surface Signal indicates that because the Windows FTP Service is a standard protocol often deployed as an internet-facing gateway for remote data access, it is frequently reachable from outside an organization's internal network. This broad network accessibility, combined with the ability to execute code without authentication, makes the service a primary target for remote threats.

Do I need to take immediate action if I run Windows FTP?

Yes. Start by inventorying all Windows servers in your environment to identify which systems are running the FTP service. Once identified, evaluate whether those specific instances must be internet-facing or if they can be restricted. Coordinate with your infrastructure team to verify the service's role and prioritize these servers for official security updates.

References