MicrosoftのFTPクライアント機能にバッファオーバフローの脆弱性が存在するそうです。

A remote attacker can craft packet with payload in the
"mget", "ls", "dir", "username" and "password"
commands as demonstrated below. When victim execute
POC or specially crafted packets, ftp client will
crash possible arbitrary code execution in contest of
logged in user. This vulnerability is hard to exploit
since it requires social engineering and shellcode has
to be injected as argument in vulnerable commands.

The vulnerability is caused due to an error in the
Windows FTP client in validating commands like "mget",
"dir", "user", password and "ls"