CVEFinder.io

CVE-2025-27889

ℹī¸ low
🔍 Scan for this CVE
Summary

Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker.

CVSS Score
3.4
Low
EPSS Score
0.0
Exploit Probability
Published Date
2025-07-10
First Seen: 2026-01-05
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 2.8% of all 326,604 vulnerabilities in our database.

#317,424
Below average severity
Severity Percentile
đŸŽ¯ CISA SSVC Assessment Updated: Jul 10, 2025
🔍 Exploitation Status
Poc
Proof-of-concept available
⚙ī¸ Automatable
NO
Requires human interaction
đŸ’Ĩ Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2025-07-17
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
CWE IDs (Weakness Types)
CWE-15

đŸ“Ļ Affected Products 1

Vendor Product Status Affected Versions
wftpserver wing_ftp_server Affected
< 7.4.4

🔗 References 3

https://github.com/MrTuxracer/advisories/blob/master...
Exploit Third Party Advisory
https://www.rcesecurity.com/2025/06/what-the-null-wi...
Exploit Third Party Advisory
https://www.wftpserver.com/wftpserver.htm
Broken Link

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-44403 ⚠ī¸ high 7.2 0.1 Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization ... 2026-05-12
CVE-2020-37079 đŸ”ļ medium 4.3 0.0 Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery (CSRF) vulnerability in the web administrat... 2026-02-07
CVE-2019-25267 ⚠ī¸ high 7.8 0.0 Wing FTP Server 6.0.7 contains an unquoted service path vulnerability that allows local attackers to potentially execute... 2026-02-05
CVE-2020-37032 ⚠ī¸ high 8.8 0.4 Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authentica... 2026-01-30
CVE-2025-47811 đŸ”ļ medium 4.1 0.1 In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or S... 2025-07-10
CVE-2025-47812 ⛔ critical 10.0 92.5 In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection o... 2025-07-10
These CVEs affect the same products