CVE-2025-27889: CWE-15 External Control of System or Configuration Setting in wftpserver Wing FTP Server
Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker.
AI Analysis
Technical Summary
CVE-2025-27889 is a vulnerability identified in Wing FTP Server versions prior to 7.4.4. The issue stems from improper validation and sanitization of the 'url' parameter in the downloadpass.html endpoint. This flaw allows an attacker to craft a malicious link that, when clicked by a legitimate user, causes the server to disclose a cleartext password. The vulnerability is categorized under CWE-15, which involves external control of system or configuration settings, indicating that an external input influences sensitive configuration data without adequate validation. The attack vector is network-based (AV:N), requires high attack complexity (AC:H), no privileges (PR:N), but does require user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact is limited to confidentiality (C:L) with no impact on integrity or availability. The CVSS score is 3.4, indicating a low severity level. No known exploits are currently reported in the wild, and no patches are linked yet. The vulnerability could lead to unauthorized disclosure of passwords, potentially allowing attackers to gain unauthorized access if they leverage the disclosed credentials further. However, exploitation requires tricking a user into clicking a crafted link, which limits the attack's practicality and reach. The vulnerability highlights the importance of proper input validation and sanitization in web-facing endpoints to prevent injection and information disclosure attacks.
Potential Impact
For European organizations using Wing FTP Server, this vulnerability poses a confidentiality risk by potentially exposing cleartext passwords to attackers. If exploited, attackers could gain unauthorized access to FTP accounts, leading to data breaches or unauthorized data transfers. Given the low CVSS score and the requirement for user interaction, the immediate risk is limited but should not be ignored, especially in sectors handling sensitive or regulated data such as finance, healthcare, and government. The scope change indicates that the vulnerability could affect multiple components or systems beyond the initial endpoint, increasing the potential impact if combined with other vulnerabilities or social engineering tactics. European organizations with remote or distributed workforces might be more susceptible if users are targeted via phishing campaigns containing the crafted links. The lack of known exploits in the wild reduces the urgency but does not eliminate the risk, as attackers could develop exploits once the vulnerability details are public. Failure to address this vulnerability could lead to compliance issues under GDPR if personal or sensitive data is compromised due to unauthorized access facilitated by leaked credentials.
Mitigation Recommendations
European organizations should prioritize upgrading Wing FTP Server to version 7.4.4 or later once available, as this version addresses the vulnerability. Until a patch is applied, organizations should implement strict input validation and sanitization on the 'url' parameter at the web server or application firewall level to block malicious payloads. User awareness training should emphasize caution when clicking on unsolicited or suspicious links, especially those related to file transfer services. Implement multi-factor authentication (MFA) on FTP accounts to reduce the risk posed by leaked passwords. Monitor FTP server logs for unusual access patterns or repeated failed login attempts that could indicate exploitation attempts. Network segmentation can limit the exposure of the FTP server to only trusted users and systems. Additionally, organizations should consider deploying web application firewalls (WAFs) with custom rules to detect and block attempts to exploit this vulnerability. Regular security assessments and penetration testing should include checks for this and similar injection vulnerabilities to ensure comprehensive protection.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-27889: CWE-15 External Control of System or Configuration Setting in wftpserver Wing FTP Server
Description
Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker.
AI-Powered Analysis
Technical Analysis
CVE-2025-27889 is a vulnerability identified in Wing FTP Server versions prior to 7.4.4. The issue stems from improper validation and sanitization of the 'url' parameter in the downloadpass.html endpoint. This flaw allows an attacker to craft a malicious link that, when clicked by a legitimate user, causes the server to disclose a cleartext password. The vulnerability is categorized under CWE-15, which involves external control of system or configuration settings, indicating that an external input influences sensitive configuration data without adequate validation. The attack vector is network-based (AV:N), requires high attack complexity (AC:H), no privileges (PR:N), but does require user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact is limited to confidentiality (C:L) with no impact on integrity or availability. The CVSS score is 3.4, indicating a low severity level. No known exploits are currently reported in the wild, and no patches are linked yet. The vulnerability could lead to unauthorized disclosure of passwords, potentially allowing attackers to gain unauthorized access if they leverage the disclosed credentials further. However, exploitation requires tricking a user into clicking a crafted link, which limits the attack's practicality and reach. The vulnerability highlights the importance of proper input validation and sanitization in web-facing endpoints to prevent injection and information disclosure attacks.
Potential Impact
For European organizations using Wing FTP Server, this vulnerability poses a confidentiality risk by potentially exposing cleartext passwords to attackers. If exploited, attackers could gain unauthorized access to FTP accounts, leading to data breaches or unauthorized data transfers. Given the low CVSS score and the requirement for user interaction, the immediate risk is limited but should not be ignored, especially in sectors handling sensitive or regulated data such as finance, healthcare, and government. The scope change indicates that the vulnerability could affect multiple components or systems beyond the initial endpoint, increasing the potential impact if combined with other vulnerabilities or social engineering tactics. European organizations with remote or distributed workforces might be more susceptible if users are targeted via phishing campaigns containing the crafted links. The lack of known exploits in the wild reduces the urgency but does not eliminate the risk, as attackers could develop exploits once the vulnerability details are public. Failure to address this vulnerability could lead to compliance issues under GDPR if personal or sensitive data is compromised due to unauthorized access facilitated by leaked credentials.
Mitigation Recommendations
European organizations should prioritize upgrading Wing FTP Server to version 7.4.4 or later once available, as this version addresses the vulnerability. Until a patch is applied, organizations should implement strict input validation and sanitization on the 'url' parameter at the web server or application firewall level to block malicious payloads. User awareness training should emphasize caution when clicking on unsolicited or suspicious links, especially those related to file transfer services. Implement multi-factor authentication (MFA) on FTP accounts to reduce the risk posed by leaked passwords. Monitor FTP server logs for unusual access patterns or repeated failed login attempts that could indicate exploitation attempts. Network segmentation can limit the exposure of the FTP server to only trusted users and systems. Additionally, organizations should consider deploying web application firewalls (WAFs) with custom rules to detect and block attempts to exploit this vulnerability. Regular security assessments and penetration testing should include checks for this and similar injection vulnerabilities to ensure comprehensive protection.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2025-03-10T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 686ff1d3a83201eaaca8defb
Added to database: 7/10/2025, 5:01:07 PM
Last enriched: 7/10/2025, 5:16:37 PM
Last updated: 7/10/2025, 6:37:37 PM
Views: 3
Related Threats
CVE-2025-7435: Cross Site Scripting in LiveHelperChat lhc-php-resque Extension
MediumCVE-2025-53864: CWE-674 Uncontrolled Recursion in Connect2id Nimbus JOSE+JWT
MediumCVE-2025-7434: Stack-based Buffer Overflow in Tenda FH451
HighCVE-2025-7423: Stack-based Buffer Overflow in Tenda O3V2
HighCVE-2025-7422: Stack-based Buffer Overflow in Tenda O3V2
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.