Wing FTP Server Incorrect Default Permission for FTP Service Account

ADVISORY INFORMATION

• Product: Wing FTP Server
• Vendor URL: https://www.wftpserver.com
• CWE: Incorrect Default Permissions [CWE-276]
• Date found: 2025-05-12
• Date published: 2025-06-30
• CVSSv4 Score: 8.4 (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
• CVE: CVE-2025-47811

CREDITS

This vulnerability was discovered and researched by Julien Ahrens from RCE Security.

VERSIONS AFFECTED

WingFTP Server <= 7.4.4

INTRODUCTION

Wing FTP Server is a free, easy-to-use, and secure FTP server software for Windows, Linux, and Mac OS. It supports multiple file transfer protocols, including FTP, FTPS, HTTP, HTTPS, and SFTP, giving your clients flexibility in how they connect to the server. And it provides admins with a web-based interface to administrate the server from anywhere. You can also monitor server performance and online sessions and even receive email notifications about various events taking place on the server.

(from the vendor’s homepage)

VULNERABILITY DETAILS

Wing FTP server runs as root on Linux and NT AUTHORITY/SYSTEM on Windows by default. There is no form of isolation, jail or dropping of rights even for anonymous user accounts. Combined with a vulnerability like CVE-2025-47812, or any of the legitimate functionality such as executing commands from the administrative web interface, will ultimately result in code execution with the highest possible rights. Since an administrative FTP user is not necessarily also an operating system administrator, we believe that the server provides overly broad permissions to any user.

PROOF OF CONCEPT

A payload to exploit this vulnerability using the /admin_webservice.html endpoint looks like the following:

admin=admin&pass=password&cmd=os.execute('cmd.exe%20%2Fc%20whoami%20%3E%20C%3A%5C%5Cout.txt’)

SOLUTION

REPORT TIMELINE

• 2025-04-28: Discovery of the vulnerability
• 2025-04-28: Sent full vulnerability details to the vendor
• 2025-04-29: Vendor states that the associated rights are intentional and won’t be changed
• 2025-05-10: MITRE assigns CVE-2025-47811
• 2025-06-30: Full Disclosure

REFERENCES

• https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/
• https://www.wftpserver.com