CVE-2019-25306
📋 TL;DR
CVE-2019-25306 is an unquoted service path vulnerability in BlackMoon FTP Server that allows local attackers to execute arbitrary code with LocalSystem privileges. Attackers can place malicious executables in the unquoted service path to achieve privilege escalation when the service starts. Only systems running BlackMoon FTP Server with local user access are affected.
💻 Affected Systems
- BlackMoon FTP Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via LocalSystem privilege escalation leading to full administrative control, data theft, and persistent backdoor installation.
Likely Case
Local privilege escalation allowing attackers to execute code with system-level permissions, potentially installing malware or accessing sensitive system resources.
If Mitigated
Limited impact with proper access controls, service hardening, and monitoring preventing unauthorized local access.
🎯 Exploit Status
Exploit requires local access to create malicious executables in the service path. Proof of concept available on Exploit-DB.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: No official vendor advisory found
Restart Required: Yes
Instructions:
1. Uninstall BlackMoon FTP Server 3.1.2.1731
2. Install a patched version if available from vendor
3. Restart system to ensure service changes take effect
🔧 Temporary Workarounds
Quote Service Path
windowsManually edit the service configuration to use quoted paths for the binary executable
sc config "BlackMoon FTP Server" binPath= "\"C:\Program Files\BlackMoon FTP Server\bmftp.exe\""
Restrict Service Permissions
windowsConfigure service permissions to prevent unauthorized users from modifying service paths
sc sdset "BlackMoon FTP Server" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
🧯 If You Can't Patch
- Remove local user access to affected systems
- Implement strict file system permissions to prevent unauthorized file creation in service directories
🔍 How to Verify
Check if Vulnerable:
Check if BlackMoon FTP Server is installed and examine service path: sc qc "BlackMoon FTP Server" | findstr BINARY_PATH_NAMECheck Version:
Check program files directory or registry: HKEY_LOCAL_MACHINE\SOFTWARE\BlackMoon FTP ServerVerify Fix Applied:
Verify service path is quoted: sc qc "BlackMoon FTP Server" | findstr BINARY_PATH_NAME should show path in quotes📡 Detection & Monitoring
Log Indicators:
- Service control manager events showing service path modifications
- File creation events in BlackMoon FTP Server directory by non-admin users
Network Indicators:
- Unusual outbound connections from system after service restart
SIEM Query:
EventID=7045 AND ServiceName="BlackMoon FTP Server" AND ImagePath NOT CONTAINS '"'