CVE-2019-25307
Published: 11 February 2026
Summary
CVE-2019-25307 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Tucows (inferred from references). Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 4.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2019-25307 is an unquoted service path vulnerability affecting WorkgroupMail 7.5.1, specifically in its Windows service configuration. This flaw, classified under CWE-428, arises from the service binary path not being properly quoted, enabling local privilege escalation. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability with low complexity and local access requirements.
Local attackers with low privileges can exploit this vulnerability by placing a malicious executable in a directory that precedes the legitimate service binary in the system's PATH search order. During service startup, the malicious executable runs with LocalSystem privileges, potentially allowing arbitrary code execution, full system compromise, and persistence on the affected Windows host.
Advisories and resources, including those from VulnCheck and an Exploit-DB entry (47523), document the issue and provide proof-of-concept exploitation details. No specific patches or mitigations are detailed in the available references, but practitioners should verify service path configurations in WorkgroupMail installations and apply general unquoted path hardening, such as quoting paths or restricting service directories.
A public exploit is available on Exploit-DB, indicating proof-of-concept exploitation capability, though no widespread real-world attacks have been reported in the provided data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19454
Vulnerability details
WorkgroupMail 7.5.1 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with LocalSystem privileges…
more
during service startup.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unquoted service path flaw (CWE-428) enables Path Interception by Unquoted Path (T1574.009) for local privilege escalation (T1068) via malicious executable placement in PATH.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Establishes and enforces configuration settings that require proper quoting of Windows service binary paths to prevent exploitation of unquoted paths.
Requires identification, reporting, and correction of flaws like CVE-2019-25307, including fixing the unquoted service path configuration.
Vulnerability scanning detects unquoted service path vulnerabilities like CVE-2019-25307 in system configurations.