Cyber Resilience

CVE-2019-25267

HighPublic PoC

Published: 05 February 2026

Published
05 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0022 12.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2019-25267 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Wftpserver Wing Ftp Server. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 12.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).

Deeper analysis

Wing FTP Server 6.0.7 is affected by CVE-2019-25267, an unquoted service path vulnerability classified under CWE-428. This flaw arises from an unquoted binary path in the Windows service configuration, enabling local attackers to potentially execute arbitrary code with elevated system privileges. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability.

Local low-privileged users (PR:L) can exploit this vulnerability by placing a malicious executable in a directory that precedes the legitimate service binary in the system's PATH search order. When the Wing FTP Server service starts or restarts, Windows will execute the attacker's binary instead due to the unquoted path, granting it LocalSystem permissions and allowing full system compromise.

Advisories from VulnCheck and Exploit-DB provide further details, including a proof-of-concept exploit at https://www.exploit-db.com/exploits/47818. Security practitioners should consult the vendor's site at https://www.wftpserver.com/ for patches or updates, and apply standard mitigations such as quoting the service ImagePath registry value or restricting write access to service directories.

A public exploit is available on Exploit-DB, indicating potential for real-world local privilege escalation attacks on unpatched systems running the affected version.

EU & UK References

Vulnerability details

Wing FTP Server 6.0.7 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables that will…

more

be launched with LocalSystem permissions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.009 Path Interception by Unquoted Path Stealth
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Why these techniques?

Unquoted service path (CWE-428) directly enables path interception by placing a malicious binary earlier in the search order, hijacking Windows service execution for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-27889Same product: Wftpserver Wing Ftp Server
CVE-2020-37032Same product: Wftpserver Wing Ftp Server
CVE-2026-44403Same product: Wftpserver Wing Ftp Server
CVE-2025-47812Same product: Wftpserver Wing Ftp Server
CVE-2025-47813Same product: Wftpserver Wing Ftp Server
CVE-2020-36928Shared CWE-428
CVE-2023-54336Shared CWE-428
CVE-2020-37048Shared CWE-428
CVE-2019-25306Shared CWE-428
CVE-2020-36979Shared CWE-428

Affected Assets

wftpserver
wing ftp server
6.0.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires identification, reporting, and correction of system flaws like the unquoted service path, directly preventing local privilege escalation by patching or fixing the vulnerable configuration.

prevent

CM-6 enforces secure configuration settings for system components, such as quoting service ImagePath registry values, comprehensively mitigating the unquoted path vulnerability.

prevent

AC-6 applies least privilege to restrict low-privileged local users from writing malicious executables to directories exploited in the service path hijacking.

References