CVE-2025-47811 – Wing FTP Server versions through 7.4.4 run the ... (How to Fix)

Q: What is the severity of CVE-2025-47811?

CVE-2025-47811 has a CVSS score of 4.1 (MEDIUM). Wing FTP Server versions through 7.4.4 run the administrative web interface with root/SYSTEM privileges by default. This allows authenticated administrative users to execute arbitrary system commands through legitimate web interface features, potentially leading to privilege escalation if those users aren't system administrators. Organizations running vulnerable versions with the default configuration are affected.

📋 TL;DR

Wing FTP Server versions through 7.4.4 run the administrative web interface with root/SYSTEM privileges by default. This allows authenticated administrative users to execute arbitrary system commands through legitimate web interface features, potentially leading to privilege escalation if those users aren't system administrators. Organizations running vulnerable versions with the default configuration are affected.

💻 Affected Systems

Products:

Wing FTP Server

Versions: through 7.4.4

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable in default configuration where administrative web interface runs with highest privileges. Requires administrative access to the web interface.

📦 What is this software?

Wing Ftp Server by Wftpserver

View all CVEs affecting Wing Ftp Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root/SYSTEM access, allowing attackers to install persistent malware, steal sensitive data, or pivot to other systems.

🟠

Likely Case

Privilege escalation where authenticated administrative users gain full system control beyond their intended permissions.

🟢

If Mitigated

Limited impact if administrative users are trusted system administrators and proper network segmentation is in place.

🌐 Internet-Facing: HIGH - If the administrative interface is exposed to the internet, attackers could gain full system control.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could escalate privileges to gain full system control.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrative access to the web interface. CVE-2025-47812 can be leveraged if privileged application role isn't available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None

Vendor Advisory: https://www.wftpserver.com

Restart Required: No

Instructions:

No official patch available as vendor considers this behavior acceptable. Consider workarounds or alternative solutions.

🔧 Temporary Workarounds

Run Wing FTP Server with reduced privileges

all

Configure Wing FTP Server to run as a non-privileged user instead of root/SYSTEM

# Linux: Create dedicated user and run service as that user
# Windows: Configure service to run as limited user account

Restrict administrative web interface access

all

Limit access to the administrative interface using firewall rules and network segmentation

# Linux: iptables -A INPUT -p tcp --dport 5466 -s trusted_ip -j ACCEPT
# Windows: netsh advfirewall firewall add rule name="Block Wing FTP Admin" dir=in action=block protocol=TCP localport=5466

🧯 If You Can't Patch

Implement strict access controls to ensure only trusted system administrators have administrative access to the web interface
Monitor administrative interface logs for unusual command execution patterns and implement alerting

🔍 How to Verify

Check if Vulnerable:

Check Wing FTP Server version and verify if administrative interface runs with elevated privileges. Review service configuration and user context.

Check Version:

# Windows: Check program version in About dialog
# Linux: Check version in web interface or installation directory

Verify Fix Applied:

Verify Wing FTP Server is running as non-privileged user and administrative interface access is properly restricted.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution through web console
Task scheduler entries with suspicious commands
Multiple failed login attempts to administrative interface

Network Indicators:

Unusual traffic to port 5466 from unexpected sources
Command execution patterns in HTTP requests to administrative interface

SIEM Query:

source="wing_ftp.log" AND (event="command_execution" OR event="task_scheduler") AND command="*"

📊 Metadata

CVE ID: CVE-2025-47811

CVSS v3 Score: 4.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N

CWE: CWE-267

EPSS Score: 0.06% exploit probability (19.6th percentile)

Published: July 10, 2025

Last Updated: July 17, 2025

🔗 References

https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/ Exploit,Third Party Advisory
https://www.wftpserver.com Broken Link
https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-47811, you might also want to check these: