Integer overflow in PuTTY 0.62 and earlier, WinSCP before 5.1.6, and other products that use PuTTY allows remote SSH servers to cause a denial of service (crash) and possibly execute arbitrary code in certain applications that use PuTTY via a negative size value in an RSA key signature during the SSH handshake, which triggers a heap-based buffer overflow.
Conclusion & alert: CVE-2013-4852 is rated Moderate Risk (54.7/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 1.75%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2025-03-30 | 2.56% | 1.75% | -0.81% |
| 2 | 2025-03-29 | 1.75% | 2.56% | +0.81% |
| 3 | 2025-03-17 | — | 1.75% | — |
Full EPSS history (6 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.8 | 2.0 | MEDIUM |
|
8.6 | 6.4 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
low | CVE-2013-4852 low priority: Debian including 2 source packages (filezilla, putty), 10 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 10. | https://security-tracker.debian.org/tracker/CVE-2013-4852 |
gentoo
|
normal | CVE-2013-4852: 2 GLSA(s) (201308-01, 201309-08), 2 atom(s) (net-ftp/filezilla, net-misc/putty); latest impact normal. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2013-4852 |
ubuntu
|
medium | CVE-2013-4852 medium priority: Ubuntu including 2 source packages (filezilla, putty), 32 status rows across 16 suites (artful, bionic, cosmic, lucid, precise, quantal, raring, saucy, trusty, upstream, utopic, vivid, wily, xenial, yakkety, zesty): released 16, ignored 12, not-affected 3, DNE 1. | https://ubuntu.com/security/CVE-2013-4852 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| winscp | winscp | <= 5.1.5 | cpe:2.3:a:winscp:winscp:*:*:*:*:*:*:*:* |
| winscp | winscp | 3.7.6 | cpe:2.3:a:winscp:winscp:3.7.6:*:*:*:*:*:*:* |
| winscp | winscp | 3.8.2 | cpe:2.3:a:winscp:winscp:3.8.2:*:*:*:*:*:*:* |
| winscp | winscp | 3.8_beta | cpe:2.3:a:winscp:winscp:3.8_beta:*:*:*:*:*:*:* |
| winscp | winscp | 4.0.4 | cpe:2.3:a:winscp:winscp:4.0.4:*:*:*:*:*:*:* |
| winscp | winscp | 4.0.5 | cpe:2.3:a:winscp:winscp:4.0.5:*:*:*:*:*:*:* |
| winscp | winscp | 4.2.6 | cpe:2.3:a:winscp:winscp:4.2.6:*:*:*:*:*:*:* |
| winscp | winscp | 4.2.7 | cpe:2.3:a:winscp:winscp:4.2.7:*:*:*:*:*:*:* |
| winscp | winscp | 4.2.8 | cpe:2.3:a:winscp:winscp:4.2.8:*:*:*:*:*:*:* |
| winscp | winscp | 4.2.9 | cpe:2.3:a:winscp:winscp:4.2.9:*:*:*:*:*:*:* |
| winscp | winscp | 4.3.2 | cpe:2.3:a:winscp:winscp:4.3.2:*:*:*:*:*:*:* |
| winscp | winscp | 4.3.4 | cpe:2.3:a:winscp:winscp:4.3.4:*:*:*:*:*:*:* |
| winscp | winscp | 4.3.5 | cpe:2.3:a:winscp:winscp:4.3.5:*:*:*:*:*:*:* |
| winscp | winscp | 4.3.6 | cpe:2.3:a:winscp:winscp:4.3.6:*:*:*:*:*:*:* |
| winscp | winscp | 4.3.7 | cpe:2.3:a:winscp:winscp:4.3.7:*:*:*:*:*:*:* |
| winscp | winscp | 4.3.8 | cpe:2.3:a:winscp:winscp:4.3.8:*:*:*:*:*:*:* |
| winscp | winscp | 4.3.9 | cpe:2.3:a:winscp:winscp:4.3.9:*:*:*:*:*:*:* |
| winscp | winscp | 4.4.0 | cpe:2.3:a:winscp:winscp:4.4.0:*:*:*:*:*:*:* |
| winscp | winscp | 5.0 | cpe:2.3:a:winscp:winscp:5.0:beta:*:*:*:*:*:* |
| winscp | winscp | 5.0.1 | cpe:2.3:a:winscp:winscp:5.0.1:beta:*:*:*:*:*:* |
| winscp | winscp | 5.0.2 | cpe:2.3:a:winscp:winscp:5.0.2:beta:*:*:*:*:*:* |
| winscp | winscp | 5.0.3 | cpe:2.3:a:winscp:winscp:5.0.3:beta:*:*:*:*:*:* |
| winscp | winscp | 5.0.4 | cpe:2.3:a:winscp:winscp:5.0.4:beta:*:*:*:*:*:* |
| winscp | winscp | 5.0.5 | cpe:2.3:a:winscp:winscp:5.0.5:beta:*:*:*:*:*:* |
| winscp | winscp | 5.0.6 | cpe:2.3:a:winscp:winscp:5.0.6:beta:*:*:*:*:*:* |
| winscp | winscp | 5.0.7 | cpe:2.3:a:winscp:winscp:5.0.7:beta:*:*:*:*:*:* |
| winscp | winscp | 5.0.8 | cpe:2.3:a:winscp:winscp:5.0.8:rc:*:*:*:*:*:* |
| winscp | winscp | 5.0.9 | cpe:2.3:a:winscp:winscp:5.0.9:rc:*:*:*:*:*:* |
| winscp | winscp | 5.1 | cpe:2.3:a:winscp:winscp:5.1:*:*:*:*:*:*:* |
| winscp | winscp | 5.1.1 | cpe:2.3:a:winscp:winscp:5.1.1:*:*:*:*:*:*:* |
| winscp | winscp | 5.1.2 | cpe:2.3:a:winscp:winscp:5.1.2:*:*:*:*:*:*:* |
| winscp | winscp | 5.1.3 | cpe:2.3:a:winscp:winscp:5.1.3:*:*:*:*:*:*:* |
| winscp | winscp | 5.1.4 | cpe:2.3:a:winscp:winscp:5.1.4:*:*:*:*:*:*:* |
| debian | debian_linux | 6.0 | cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:* |
| debian | debian_linux | 7.0 | cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:* |
| debian | debian_linux | 7.1 | cpe:2.3:o:debian:debian_linux:7.1:*:*:*:*:*:*:* |
| opensuse | opensuse | 12.3 | cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:* |
| putty | putty | 0.45 | cpe:2.3:a:putty:putty:0.45:*:*:*:*:*:*:* |
| putty | putty | 0.46 | cpe:2.3:a:putty:putty:0.46:*:*:*:*:*:*:* |
| putty | putty | 0.47 | cpe:2.3:a:putty:putty:0.47:*:*:*:*:*:*:* |
| putty | putty | 0.48 | cpe:2.3:a:putty:putty:0.48:*:*:*:*:*:*:* |
| putty | putty | 0.49 | cpe:2.3:a:putty:putty:0.49:*:*:*:*:*:*:* |
| putty | putty | 0.50 | cpe:2.3:a:putty:putty:0.50:*:*:*:*:*:*:* |
| putty | putty | 0.51 | cpe:2.3:a:putty:putty:0.51:*:*:*:*:*:*:* |
| putty | putty | 0.52 | cpe:2.3:a:putty:putty:0.52:*:*:*:*:*:*:* |
| putty | putty | 0.53b | cpe:2.3:a:putty:putty:0.53b:*:*:*:*:*:*:* |
| putty | putty | 0.54 | cpe:2.3:a:putty:putty:0.54:*:*:*:*:*:*:* |
| putty | putty | 0.55 | cpe:2.3:a:putty:putty:0.55:*:*:*:*:*:*:* |
| putty | putty | 0.56 | cpe:2.3:a:putty:putty:0.56:*:*:*:*:*:*:* |
| putty | putty | 0.57 | cpe:2.3:a:putty:putty:0.57:*:*:*:*:*:*:* |
| putty | putty | 0.58 | cpe:2.3:a:putty:putty:0.58:*:*:*:*:*:*:* |
| putty | putty | 0.59 | cpe:2.3:a:putty:putty:0.59:*:*:*:*:*:*:* |
| putty | putty | 0.60 | cpe:2.3:a:putty:putty:0.60:*:*:*:*:*:*:* |
| putty | putty | 0.61 | cpe:2.3:a:putty:putty:0.61:*:*:*:*:*:*:* |
| putty | putty | 2010-06-01 | cpe:2.3:a:putty:putty:2010-06-01:r8967:*:*:development_snapshot:*:*:* |
| simon_tatham | putty | <= 0.62 | cpe:2.3:a:simon_tatham:putty:*:*:*:*:*:*:*:* |
| simon_tatham | putty | 0.53 | cpe:2.3:a:simon_tatham:putty:0.53:*:*:*:*:*:*:* |