CVE-2019-25267
Published: 05 February 2026
Summary
CVE-2019-25267 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Wftpserver Wing Ftp Server. Its CVSS base score is 7.8 (High).
Operationally, ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires identification, reporting, and correction of system flaws like the unquoted service path, directly preventing local privilege escalation by patching or fixing the vulnerable configuration.
CM-6 enforces secure configuration settings for system components, such as quoting service ImagePath registry values, comprehensively mitigating the unquoted path vulnerability.
AC-6 applies least privilege to restrict low-privileged local users from writing malicious executables to directories exploited in the service path hijacking.
NVD Description
Wing FTP Server 6.0.7 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables that will…
more
be launched with LocalSystem permissions.
Deeper analysisAI
Wing FTP Server 6.0.7 is affected by CVE-2019-25267, an unquoted service path vulnerability classified under CWE-428. This flaw arises from an unquoted binary path in the Windows service configuration, enabling local attackers to potentially execute arbitrary code with elevated system privileges. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability.
Local low-privileged users (PR:L) can exploit this vulnerability by placing a malicious executable in a directory that precedes the legitimate service binary in the system's PATH search order. When the Wing FTP Server service starts or restarts, Windows will execute the attacker's binary instead due to the unquoted path, granting it LocalSystem permissions and allowing full system compromise.
Advisories from VulnCheck and Exploit-DB provide further details, including a proof-of-concept exploit at https://www.exploit-db.com/exploits/47818. Security practitioners should consult the vendor's site at https://www.wftpserver.com/ for patches or updates, and apply standard mitigations such as quoting the service ImagePath registry value or restricting write access to service directories.
A public exploit is available on Exploit-DB, indicating potential for real-world local privilege escalation attacks on unpatched systems running the affected version.
Details
- CWE(s)