CVE-2025-47811: CWE-267 Privilege Defined With Unsafe Actions in wftpserver Wing FTP Server
In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. The web application itself offers several legitimate ways to execute arbitrary system commands (i.e., through the web console or the task scheduler), and they are automatically executed in the highest possible privilege context. Because administrative users of the web interface are not necessarily also system administrators, one might argue that this is a privilege escalation. (If a privileged application role is not available to an attacker, CVE-2025-47812 can be leveraged.) NOTE: the vendor reportedly considers this behavior "fine to keep."
CVE-2025-47811: CWE-267 Privilege Defined With Unsafe Actions in wftpserver Wing FTP Server
Description
In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. The web application itself offers several legitimate ways to execute arbitrary system commands (i.e., through the web console or the task scheduler), and they are automatically executed in the highest possible privilege context. Because administrative users of the web interface are not necessarily also system administrators, one might argue that this is a privilege escalation. (If a privileged application role is not available to an attacker, CVE-2025-47812 can be leveraged.) NOTE: the vendor reportedly considers this behavior "fine to keep."
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2025-05-10T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 686ff1d3a83201eaaca8df00
Added to database: 7/10/2025, 5:01:07 PM
Last updated: 7/10/2025, 5:01:07 PM
Views: 1
Related Threats
CVE-2025-47813: CWE-209 Generation of Error Message Containing Sensitive Information in wftpserver Wing FTP Server
MediumCVE-2025-27889: CWE-15 External Control of System or Configuration Setting in wftpserver Wing FTP Server
LowCVE-2025-23048: CWE-284 Improper Access Control in Apache Software Foundation Apache HTTP Server
UnknownCVE-2025-7409: SQL Injection in code-projects Mobile Shop
MediumCVE-2025-49464: CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') in Zoom Communications Inc. Zoom Clients for Windows
MediumActions
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.