EmFTP may insecurely load executable files


EmFTP contains a flaw when loading files, where an unitended executable file may be loaded when attempting to open a file without an extension. For example, if a text file named "exmaple" (without an extension) and an executable "example.exe" are in the same directory, attemtping to open the file "example" will result in the execution of "example.exe".
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 5.1 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

Emurasoft, Inc.
  • EmFTP Professional
  • EmFTP Standard


An attacker may execute arbitrary code with the privilege of the vulnerable application.

[Apply a workaround]
EmFTP development has ended. The developer recommends the following workaround.

When opening local files, do not use EmFTP. Use Run command or Windows Explorer.
Vendor Information

Emurasoft, Inc.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-3910

  1. JVN : JVN#50367052
  2. National Vulnerability Database (NVD) : CVE-2014-3910
Revision History

  • [2014/09/04]
      Web page was published
       References : Content was added