CVEFinder.io

CVE-2019-25267

⚠ī¸ high
🔍 Scan for this CVE
Summary

Wing FTP Server 6.0.7 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions.

CVSS Score
7.8
High
EPSS Score
0.0
Exploit Probability
Published Date
2026-02-05
First Seen: 2026-02-05
📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 69.6% of all 326,604 vulnerabilities in our database.

#99,150
Above average severity
Severity Percentile
đŸŽ¯ CISA SSVC Assessment Updated: Feb 6, 2026
🔍 Exploitation Status
Poc
Proof-of-concept available
⚙ī¸ Automatable
NO
Requires human interaction
đŸ’Ĩ Technical Impact
Total
Complete system compromise possible
🏆 Discovered By
Nawaf Alkeraithe
SSVC data provided by CISA
Last Modified 2026-02-18
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Vector 4.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)
CWE-428

đŸ“Ļ Affected Products 1

Vendor Product Status Affected Versions
wftpserver wing_ftp_server Affected
v6.0.7

🔗 References 3

https://www.exploit-db.com/exploits/47818
Exploit Third Party Advisory VDB Entry
https://www.vulncheck.com/advisories/wing-ftp-server...
Third Party Advisory
https://www.wftpserver.com/
Product

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-44403 ⚠ī¸ high 7.2 0.1 Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization ... 2026-05-12
CVE-2020-37079 đŸ”ļ medium 4.3 0.0 Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery (CSRF) vulnerability in the web administrat... 2026-02-07
CVE-2020-37032 ⚠ī¸ high 8.8 0.4 Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authentica... 2026-01-30
CVE-2025-27889 ℹī¸ low 3.4 0.0 Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint... 2025-07-10
CVE-2025-47811 đŸ”ļ medium 4.1 0.1 In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or S... 2025-07-10
CVE-2025-47812 ⛔ critical 10.0 92.5 In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection o... 2025-07-10
These CVEs affect the same products