Insecure URL Parameter Vulnerability in Wing FTP Server
CVE-2025-27889

8.8HIGH

Key Information:

Vendor: Wftpserver
Status: Wing Ftp Server
Vendor: CVE Published:; 10 July 2025

What is CVE-2025-27889?

Wing FTP Server versions before 7.4.4 are susceptible to a vulnerability where the url parameter of the downloadpass.html endpoint is not properly validated or sanitized. This oversight allows attackers to craft a malicious link, which, when clicked by an unsuspecting user, can result in the disclosure of cleartext passwords. Such vulnerabilities can compromise user credentials and pose a significant security risk, necessitating immediate attention and remediation.

Affected Version(s)

Wing FTP Server 0 < 7.4.4

References

https://www.wftpserver.com/wftpserver.htm

https://www.rcesecurity.com/2025/06/what-the-null-wing-ft...

https://github.com/MrTuxracer/advisories/blob/master/CVEs...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 10, 2025
Vulnerability Reserved
Mar 10, 2025

Wftpserver

What is CVE-2025-27889?

Affected Version(s)

References

CVSS V3.1

Timeline