CVE-2025-47811: CWE-267 Privilege Defined With Unsafe Actions in wftpserver Wing FTP Server
In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. The web application itself offers several legitimate ways to execute arbitrary system commands (i.e., through the web console or the task scheduler), and they are automatically executed in the highest possible privilege context. Because administrative users of the web interface are not necessarily also system administrators, one might argue that this is a privilege escalation. (If a privileged application role is not available to an attacker, CVE-2025-47812 can be leveraged.) NOTE: the vendor reportedly considers this behavior "fine to keep."
AI Analysis
Technical Summary
CVE-2025-47811 is a medium-severity vulnerability affecting Wing FTP Server versions up to 7.4.4. The issue lies in the administrative web interface, which by default listens on port 5466 and runs with root (on Unix/Linux) or SYSTEM (on Windows) privileges. This interface provides legitimate functionality to execute arbitrary system commands through features like the web console or task scheduler. However, these commands are executed with the highest system privileges, regardless of whether the administrative user of the web interface is also a system administrator. This design flaw constitutes a privilege definition weakness (CWE-267), where the privilege level granted to the web interface is unsafe given the actions it allows. An attacker who gains administrative access to the web interface can execute system commands with full system privileges, leading to potential system compromise or lateral movement. Although the vendor considers this behavior acceptable, it effectively enables privilege escalation within the context of the application. The CVSS v3.1 score is 4.1 (medium), reflecting that the vulnerability requires high privileges (administrative web interface access) and no user interaction, with network attack vector and limited impact on integrity but no confidentiality or availability impact. No known exploits are currently reported in the wild. The vulnerability is particularly concerning because administrative users of the web interface may not be system administrators, yet can perform highly privileged actions, increasing the risk if credentials are compromised or misused.
Potential Impact
For European organizations using Wing FTP Server, this vulnerability poses a risk of unauthorized privilege escalation if an attacker gains administrative access to the web interface. The impact includes potential execution of arbitrary system commands with root or SYSTEM privileges, which can lead to unauthorized system modifications, installation of malware, data tampering, or pivoting to other network resources. Although the vulnerability does not directly affect confidentiality or availability, the ability to execute commands at the highest privilege level can indirectly compromise sensitive data or disrupt services. Organizations in Europe that rely on Wing FTP Server for file transfer and management, especially in sectors with strict regulatory requirements (e.g., finance, healthcare, government), may face compliance risks if this vulnerability is exploited. The default exposure of the administrative interface on port 5466 increases the attack surface, especially if network segmentation or firewall rules are insufficient. Given the vendor's stance on the issue, organizations cannot rely on an official patch and must implement compensating controls to mitigate risk.
Mitigation Recommendations
1. Restrict network access to the administrative web interface (port 5466) using firewalls or network segmentation to limit exposure only to trusted administrators. 2. Enforce strong authentication and authorization controls for the web interface, including multi-factor authentication (MFA) where possible, to reduce the risk of credential compromise. 3. Monitor and audit administrative web interface access and command execution logs to detect suspicious activities promptly. 4. Consider running the Wing FTP Server administrative interface in a less privileged context if supported by configuration or by isolating the server in a hardened environment. 5. If feasible, deploy host-based intrusion detection or endpoint protection solutions to detect anomalous command executions originating from the FTP server process. 6. Regularly review and update administrative user accounts, removing unnecessary privileges and disabling unused accounts. 7. Stay informed about vendor updates or community patches that may address this issue in the future. 8. As a last resort, evaluate alternative FTP server solutions that do not expose such privilege escalation risks.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-47811: CWE-267 Privilege Defined With Unsafe Actions in wftpserver Wing FTP Server
Description
In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. The web application itself offers several legitimate ways to execute arbitrary system commands (i.e., through the web console or the task scheduler), and they are automatically executed in the highest possible privilege context. Because administrative users of the web interface are not necessarily also system administrators, one might argue that this is a privilege escalation. (If a privileged application role is not available to an attacker, CVE-2025-47812 can be leveraged.) NOTE: the vendor reportedly considers this behavior "fine to keep."
AI-Powered Analysis
Technical Analysis
CVE-2025-47811 is a medium-severity vulnerability affecting Wing FTP Server versions up to 7.4.4. The issue lies in the administrative web interface, which by default listens on port 5466 and runs with root (on Unix/Linux) or SYSTEM (on Windows) privileges. This interface provides legitimate functionality to execute arbitrary system commands through features like the web console or task scheduler. However, these commands are executed with the highest system privileges, regardless of whether the administrative user of the web interface is also a system administrator. This design flaw constitutes a privilege definition weakness (CWE-267), where the privilege level granted to the web interface is unsafe given the actions it allows. An attacker who gains administrative access to the web interface can execute system commands with full system privileges, leading to potential system compromise or lateral movement. Although the vendor considers this behavior acceptable, it effectively enables privilege escalation within the context of the application. The CVSS v3.1 score is 4.1 (medium), reflecting that the vulnerability requires high privileges (administrative web interface access) and no user interaction, with network attack vector and limited impact on integrity but no confidentiality or availability impact. No known exploits are currently reported in the wild. The vulnerability is particularly concerning because administrative users of the web interface may not be system administrators, yet can perform highly privileged actions, increasing the risk if credentials are compromised or misused.
Potential Impact
For European organizations using Wing FTP Server, this vulnerability poses a risk of unauthorized privilege escalation if an attacker gains administrative access to the web interface. The impact includes potential execution of arbitrary system commands with root or SYSTEM privileges, which can lead to unauthorized system modifications, installation of malware, data tampering, or pivoting to other network resources. Although the vulnerability does not directly affect confidentiality or availability, the ability to execute commands at the highest privilege level can indirectly compromise sensitive data or disrupt services. Organizations in Europe that rely on Wing FTP Server for file transfer and management, especially in sectors with strict regulatory requirements (e.g., finance, healthcare, government), may face compliance risks if this vulnerability is exploited. The default exposure of the administrative interface on port 5466 increases the attack surface, especially if network segmentation or firewall rules are insufficient. Given the vendor's stance on the issue, organizations cannot rely on an official patch and must implement compensating controls to mitigate risk.
Mitigation Recommendations
1. Restrict network access to the administrative web interface (port 5466) using firewalls or network segmentation to limit exposure only to trusted administrators. 2. Enforce strong authentication and authorization controls for the web interface, including multi-factor authentication (MFA) where possible, to reduce the risk of credential compromise. 3. Monitor and audit administrative web interface access and command execution logs to detect suspicious activities promptly. 4. Consider running the Wing FTP Server administrative interface in a less privileged context if supported by configuration or by isolating the server in a hardened environment. 5. If feasible, deploy host-based intrusion detection or endpoint protection solutions to detect anomalous command executions originating from the FTP server process. 6. Regularly review and update administrative user accounts, removing unnecessary privileges and disabling unused accounts. 7. Stay informed about vendor updates or community patches that may address this issue in the future. 8. As a last resort, evaluate alternative FTP server solutions that do not expose such privilege escalation risks.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2025-05-10T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 686ff1d3a83201eaaca8df00
Added to database: 7/10/2025, 5:01:07 PM
Last enriched: 7/10/2025, 5:16:25 PM
Last updated: 7/11/2025, 2:17:04 AM
Views: 3
Related Threats
CVE-2025-7435: Cross Site Scripting in LiveHelperChat lhc-php-resque Extension
MediumCVE-2025-53864: CWE-674 Uncontrolled Recursion in Connect2id Nimbus JOSE+JWT
MediumCVE-2025-7434: Stack-based Buffer Overflow in Tenda FH451
HighCVE-2025-7423: Stack-based Buffer Overflow in Tenda O3V2
HighCVE-2025-7422: Stack-based Buffer Overflow in Tenda O3V2
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.