{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-12T18:13:01.158","vulnerabilities":[{"cve":{"id":"CVE-2025-47811","sourceIdentifier":"cve@mitre.org","published":"2025-07-10T17:15:46.933","lastModified":"2025-07-17T13:18:45.240","vulnStatus":"Analyzed","cveTags":[{"sourceIdentifier":"cve@mitre.org","tags":["disputed"]}],"descriptions":[{"lang":"en","value":"In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. The web application itself offers several legitimate ways to execute arbitrary system commands (i.e., through the web console or the task scheduler), and they are automatically executed in the highest possible privilege context. Because administrative users of the web interface are not necessarily also system administrators, one might argue that this is a privilege escalation. (If a privileged application role is not available to an attacker, CVE-2025-47812 can be leveraged.) NOTE: the vendor reportedly considers this behavior \"fine to keep.\""},{"lang":"es","value":"En Wing FTP Server hasta la versión 7.4.4, la interfaz web administrativa (que escucha por defecto en el puerto 5466) se ejecuta como root o SYSTEM por defecto. La propia aplicación web ofrece varias formas legítimas de ejecutar comandos arbitrarios del sistema (por ejemplo, a través de la consola web o el programador de tareas), y estos se ejecutan automáticamente con el máximo privilegio posible. Dado que los usuarios administrativos de la interfaz web no son necesariamente administradores del sistema, se podría argumentar que se trata de una escalada de privilegios. (Si un atacante no tiene acceso a un rol de aplicación privilegiado, se puede aprovechar la vulnerabilidad CVE-2025-47812). NOTA: Según se informa, el proveedor considera que este comportamiento es aceptable."}],"metrics":{"cvssMetricV31":[{"source":"cve@mitre.org","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N","baseScore":4.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":1.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L","baseScore":6.6,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.3,"impactScore":3.7}]},"weaknesses":[{"source":"cve@mitre.org","type":"Secondary","description":[{"lang":"en","value":"CWE-267"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wftpserver:wing_ftp_server:*:*:*:*:*:*:*:*","versionEndExcluding":"7.4.4","matchCriteriaId":"34AF9E83-291C-40B0-AE69-34C9B59A5D03"}]}]}],"references":[{"url":"https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/","source":"cve@mitre.org","tags":["Exploit","Third Party Advisory"]},{"url":"https://www.wftpserver.com","source":"cve@mitre.org","tags":["Broken Link"]},{"url":"https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Third Party Advisory"]}]}}]}