CVE-2026-43633: Roxio Easy VHS to DVD FTP Information Disclosure
TL;DR - Roxio Easy VHS to DVD may expose source paths, memory details, and line numbers via FTP responses. - Any system running the software with the local FTP service reachable should be treated as potentially affected. - No confirmed patch or fixed version is public in reviewed sources; reduce exposure now.
| Field | Value |
|---|---|
| CVE ID | CVE-2026-43633 |
| CVSS score | 5.3 (Medium) |
| Attack vector | Network |
| Authentication required | None |
| Patch status | Not confirmed in reviewed public references |
Vulnerability at a Glance
CVE-2026-43633 is a CWE-200 Exposure of Sensitive Information to an Unauthorized Actor issue affecting Roxio Easy VHS to DVD. Per NVD, the software “returns source code, memory, and line number details in an FTP response.” Public technical summary material further indicates that an unauthenticated remote attacker may obtain diagnostic information by connecting to the local FTP service exposed by the application.
The practical risk here is not direct code execution. Instead, this is an information disclosure flaw that can materially improve an attacker’s reconnaissance. Source code paths, memory fragments, and line number details can reveal implementation internals, build layout, exception handling behavior, and environmental details. On their own, those may be limited-impact disclosures; in combination with other weaknesses, they can make later-stage exploitation more reliable.
What This Vulnerability Means for Defenders
From a defender’s perspective, the key point is that this issue is network reachable and requires no authentication according to the CVSS vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. That makes exposure management more important than the medium score alone might suggest. If the FTP listener is bound to more than localhost or reachable from adjacent systems, this becomes a straightforward target for scanning and low-effort probing.
The available public material does not show evidence of direct integrity or availability impact. CVSS reflects that: confidentiality impact is low, while integrity and availability are rated none. Still, sensitive diagnostic output often becomes valuable in real operations because it can reveal filesystem paths, coding conventions, memory artifacts, and exact code locations that help attackers tune follow-on attacks or identify other weaknesses.
Affected Products and Version Information
The affected product named in the public references is Roxio Easy VHS to DVD. However, an important limitation for practitioners is that the currently reviewed public sources do not specify exact affected version ranges, and they also do not identify a fixed version number. That means defenders cannot yet rely on a precise “upgrade from X through Y to Z” decision tree based on the available advisory content alone.
Because the version range is unknown, the safest operational assumption is this: if your environment includes Roxio Easy VHS to DVD and the application exposes an FTP service, treat the installation as potentially affected until vendor-specific release notes or a validated advisory say otherwise. This is especially relevant for SMB environments, media conversion workstations, or legacy capture systems that may not be centrally inventoried.
| Product | Affected versions | Fixed version |
|---|---|---|
| Roxio Easy VHS to DVD | Unknown from reviewed public references | Not specified in reviewed public references |
If your vulnerability management process requires explicit version ranges, document this CVE as vendor/version unknown rather than marking it not applicable. In the absence of authoritative version data, defenders should assume exposure is possible wherever the product is present and validate by testing the service behavior directly.
CVSS and Exposure Context
CVE-2026-43633 has a CVSS v3.1 base score of 5.3 (Medium). The full vector is:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
That vector matters operationally. AV:N and PR:N mean an attacker does not need local access or credentials. AC:L indicates the issue should not require unusual conditions to trigger. The reason the overall score remains medium is that the observed impact is limited to confidentiality leakage (C:L) without demonstrated modification or disruption.
For security teams, medium severity should not automatically mean low priority. If the service is reachable from untrusted networks, the risk may be higher in context than the base score suggests. Conversely, if the FTP service is local-only, host firewalled, and deployed on an isolated workstation with no inbound access, the practical risk is reduced. Asset exposure and network path matter more here than raw CVSS.
Exploitation Status and Threat Intelligence
At the time of writing, there is no CISA KEV listing for CVE-2026-43633. That means there is no CISA-confirmed evidence of active exploitation in the wild based on KEV status. This should be stated carefully: absence from KEV is not proof of non-exploitation, only that there is no KEV-backed confirmation available.
Public references reviewed for this article also do not indicate a public proof of concept. The GitHub advisory reference provides a technical summary of the issue, but the reviewed material does not include exploit code or a working PoC. So the current status is:
| Question | Status |
|---|---|
| Exploitation confirmed in the wild? | No confirmed evidence in reviewed sources |
| Listed in CISA KEV? | No |
| Public PoC known? | None identified in reviewed sources |
In practice, defenders should assume that simple manual probing may be enough to observe the issue if the affected FTP service is exposed, even without a formal PoC release. Information disclosure bugs often do not need sophisticated exploit chains to be useful.
Additional Resources
For further reading on related topics, consider exploring: - What is the difference between a virus and a worm? - What is DNS spoofing?
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.
How to Detect Exposure and Possible Abuse
The first detection priority is identifying systems that are actually running the relevant service. Because the public write-up references a local FTP service exposed by the application, defenders should inventory Roxio Easy VHS to DVD hosts and then confirm whether an FTP listener is present, what interface it binds to, and whether it is reachable across the network.
The second priority is looking for verbose FTP responses that contain implementation detail. Since exact response strings are not published in the reviewed sources, defenders should hunt for generic indicators such as source paths, memory-like output, debugging terms, or line references in FTP control-channel responses. If you do not have packet capture, endpoint logs and service banners can still help establish whether the application is exposing unexpected protocol output.
Technical Notes: Detection
Use host and network triage to identify FTP listeners:
# Windows PowerShell: list listening TCP sockets that may indicate FTP
Get-NetTCPConnection -State Listen | Where-Object {$_.LocalPort -eq 21}
# Windows CMD: identify the owning process
netstat -ano | findstr :21
tasklist /fi "PID eq <PID>"
# Nmap from a management host to validate exposure
nmap -sV -p 21 <target-ip>
Manually inspect FTP responses for sensitive diagnostic output:
# Basic banner and response check
ftp <target-ip>
# Or with netcat for raw control-channel inspection
nc <target-ip> 21
Concrete detection ideas for logs and network telemetry:
Possible suspicious FTP response patterns to search for:
- :\ or C:\ in FTP server responses
- /src/ or \src\ in FTP server responses
- "line " followed by a number in FTP server responses
- "memory" or hexadecimal-looking fragments in FTP server responses
- unusually long 4xx/5xx FTP error responses
Example Splunk-style query for FTP control-channel logs or normalized network telemetry:
(index=network OR index=proxy OR index=ids)
(dest_port=21 OR app=ftp)
("C:\\" OR "\\src\\" OR "/src/" OR "line " OR "memory")
| stats count by src_ip, dest_ip, _time
Example Zeek-style filtering approach if FTP logs are available:
grep -Ei 'C:\|\src\|/src/|line [0-9]+|memory' ftp*.log
Because the exact strings are unknown, detection should focus on anomalous verbosity in FTP error/status responses, especially any response that looks like a stack trace fragment, filesystem path, debug artifact, or code location marker.
Mitigation and Patching
The most important caveat for CVE-2026-43633 is that a patch is not confirmed in the reviewed public references, and no fixed version number is specified. That means defenders should avoid claiming that a specific release resolves the issue unless they have direct vendor confirmation. If you have enterprise software support or reseller access, request a vendor statement before closing the ticket as remediated.
In the absence of a confirmed patch, mitigation should focus on service exposure reduction. If the application’s FTP service is not required for your workflow, disable it or prevent inbound access with host firewall rules. If the software must remain installed for operational reasons, restrict reachability to localhost or a trusted admin subnet only. For workstation-class systems, the strongest interim control is often simply blocking inbound TCP/21.
Technical Notes: Mitigation
Windows Defender Firewall example to block inbound FTP access:
New-NetFirewallRule `
-DisplayName "Block Roxio FTP inbound 21" `
-Direction Inbound `
-Action Block `
-Protocol TCP `
-LocalPort 21
Legacy netsh equivalent:
netsh advfirewall firewall add rule name="Block Roxio FTP inbound 21" dir=in action=block protocol=TCP localport=21
If you confirm the application binds only locally, verify with:
Get-NetTCPConnection -LocalPort 21 -State Listen | Select-Object LocalAddress,LocalPort,OwningProcess
If your software deployment tooling supports managed updates, use your normal product update path, but document clearly that no fixed version is publicly confirmed. In other words: do not assume “latest” equals fixed without evidence.
Short-term workaround priorities:
| Priority | Action | Why it helps |
|---|---|---|
| High | Block inbound TCP/21 on affected hosts | Removes remote reachability |
| High | Limit access to trusted management networks only | Reduces attacker path |
| Medium | Confirm whether the FTP service is actually enabled | Avoids chasing non-exposed assets |
| Medium | Isolate legacy capture workstations | Reduces blast radius |
| Low | Capture protocol responses for validation | Confirms exposure and remediation |
What to Do Next
If you run Roxio Easy VHS to DVD, start by identifying where it is installed and whether an FTP listener exists. Because the public version information is incomplete, assume any installed instance could be affected until proven otherwise. Exposure validation is straightforward and should be prioritized over waiting for perfect advisory data.
If you do not run this software, this CVE is mainly a reminder to watch for third-party desktop software that silently exposes local network services. Many organizations focus patching on browsers, VPNs, and servers, but media utilities and peripheral software can still widen the attack surface in ways that are easy to miss during routine scanning.
References
| Source | Notes |
|---|---|
| NVD record for CVE-2026-43633 | Published 2026-04-09, last modified 2026-05-15, CVSS 5.3, CWE-200 |
| GitHub advisory reference | Public technical summary indicating FTP response disclosure of source code paths, memory, and line numbers |
| CISA KEV catalog status | Not listed at time of writing |
Direct URLs referenced in source material:
- https://nvd.nist.gov/vuln/detail/CVE-2026-43633
- https://github.com/CyberDanube/security-advisories/blob/main/26/CVE-2026-43633.md
- https://www.genesys.com/company/genesys-security/advisories