ByteOS Network

Vulnerability Details :

CVE-2025-5196

Assigner-VulDB

Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5

Published At-26 May, 2025 | 13:31

Updated At-28 May, 2025 | 17:35

Wing FTP Server Lua Admin Console unnecessary privileges

A vulnerability has been found in Wing FTP Server up to 7.4.3 and classified as critical. Affected by this vulnerability is an unknown functionality of the component Lua Admin Console. The manipulation leads to execution with unnecessary privileges. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 7.4.4 is able to address this issue. It is recommended to upgrade the affected component. The vendor explains: "[W]e do not consider it as a security vulnerability, because the system admin in WingFTP has full permissions [...], but you can suggest the user run WingFTP service as Normal User rather than SYSTEM/Root, it will be safer."

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:VulDB

Assigner Org ID:1af790b2-7ee1-4545-860a-a788eba489b5

Published At:26 May, 2025 | 13:31

Updated At:28 May, 2025 | 17:35

▼CVE Numbering Authority (CNA)

Wing FTP Server Lua Admin Console unnecessary privileges

Affected Products

Vendor

Wing

Product

FTP Server

Modules

Lua Admin Console

Versions

Affected

7.4.0
7.4.1
7.4.2
7.4.3

Problem Types

Type	CWE ID	Description
CWE	CWE-250	Execution with Unnecessary Privileges

Type: CWE

CWE ID: CWE-250

Description: Execution with Unnecessary Privileges

Metrics

Version	Base score	Base severity	Vector
4.0	7.5	HIGH	CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3.1	6.6	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
3.0	6.6	MEDIUM	CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
2.0	6.8	N/A	AV:N/AC:H/Au:M/C:C/I:C/A:C

Version: 4.0

Base score: 7.5

Base severity: HIGH

Vector:

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Version: 3.1

Base score: 6.6

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Version: 3.0

Base score: 6.6

Base severity: MEDIUM

Vector:

CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Version: 2.0

Base score: 6.8

Base severity: N/A

Vector:

AV:N/AC:H/Au:M/C:C/I:C/A:C

Credits

reporter

nouvexr (VulDB User)

Timeline

Event	Date
Advisory disclosed	2025-05-26 00:00:00
VulDB entry created	2025-05-26 02:00:00
VulDB entry last update	2025-05-26 10:25:25

Event: Advisory disclosed

Date: 2025-05-26 00:00:00

Event: VulDB entry created

Date: 2025-05-26 02:00:00

Event: VulDB entry last update

Date: 2025-05-26 10:25:25

References

Hyperlink	Resource
https://vuldb.com/?id.310279	vdb-entry
https://vuldb.com/?ctiid.310279	signature permissions-required
https://vuldb.com/?submit.584253	third-party-advisory
https://github.com/Nouvexr/Wing-FTP-Server-7.4.4-RCE-Authenticated/blob/main/poc.txt	exploit
https://www.wftpserver.com/serverhistory.htm	patch

Hyperlink: https://vuldb.com/?id.310279

Resource:

vdb-entry

Hyperlink: https://vuldb.com/?ctiid.310279

Resource:

signature

permissions-required

Hyperlink: https://vuldb.com/?submit.584253

Resource:

third-party-advisory

Hyperlink: https://github.com/Nouvexr/Wing-FTP-Server-7.4.4-RCE-Authenticated/blob/main/poc.txt

Resource:

exploit

Hyperlink: https://www.wftpserver.com/serverhistory.htm

Resource:

patch

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Metrics Other Info

References

Hyperlink	Resource
https://github.com/Nouvexr/Wing-FTP-Server-7.4.4-RCE-Authenticated/blob/main/poc.txt	exploit

Hyperlink: https://github.com/Nouvexr/Wing-FTP-Server-7.4.4-RCE-Authenticated/blob/main/poc.txt

Resource:

exploit

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:cna@vuldb.com

Published At:26 May, 2025 | 14:15

Updated At:02 Jul, 2025 | 17:42

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	7.5	HIGH	CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary	3.1	6.6	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Secondary	2.0	6.8	MEDIUM	AV:N/AC:H/Au:M/C:C/I:C/A:C

Type: Secondary

Version: 4.0

Base score: 7.5

Base severity: HIGH

Vector:

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Secondary

Version: 3.1

Base score: 6.6

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Type: Secondary

Version: 2.0

Base score: 6.8

Base severity: MEDIUM

Vector:

AV:N/AC:H/Au:M/C:C/I:C/A:C

CPE Matches

wftpserver>>wing_ftp_server>>Versions before 7.4.4(exclusive)

cpe:2.3:a:wftpserver:wing_ftp_server:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-250	Secondary	cna@vuldb.com

CWE ID: CWE-250

Type: Secondary

Source: cna@vuldb.com

References

Hyperlink	Source	Resource
https://github.com/Nouvexr/Wing-FTP-Server-7.4.4-RCE-Authenticated/blob/main/poc.txt	cna@vuldb.com	Exploit
https://vuldb.com/?ctiid.310279	cna@vuldb.com	Permissions Required VDB Entry
https://vuldb.com/?id.310279	cna@vuldb.com	Third Party Advisory VDB Entry
https://vuldb.com/?submit.584253	cna@vuldb.com	Exploit VDB Entry
https://www.wftpserver.com/serverhistory.htm	cna@vuldb.com	Broken Link
https://github.com/Nouvexr/Wing-FTP-Server-7.4.4-RCE-Authenticated/blob/main/poc.txt	134c704f-9b21-4f2e-91b3-4a467353bcc0	Exploit

Hyperlink: https://github.com/Nouvexr/Wing-FTP-Server-7.4.4-RCE-Authenticated/blob/main/poc.txt

Source: cna@vuldb.com

Resource:

Exploit

Hyperlink: https://vuldb.com/?ctiid.310279

Source: cna@vuldb.com

Resource:

Permissions Required

VDB Entry

Hyperlink: https://vuldb.com/?id.310279

Source: cna@vuldb.com

Resource:

Third Party Advisory

VDB Entry

Hyperlink: https://vuldb.com/?submit.584253

Source: cna@vuldb.com

Resource:

Exploit

VDB Entry

Hyperlink: https://www.wftpserver.com/serverhistory.htm

Source: cna@vuldb.com

Resource:

Broken Link

Hyperlink: https://github.com/Nouvexr/Wing-FTP-Server-7.4.4-RCE-Authenticated/blob/main/poc.txt

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Resource:

Exploit

Similar CVEs

1Records found

CVE-2024-8266

Matching Score-4

Assigner-GitLab Inc.

View Details

Matching Score-4

Assigner-GitLab Inc.

CVSS Score-4.4||MEDIUM

EPSS-0.02% / 3.59%

7 Day CHG~0.00%

Published-13 Feb, 2025 | 00:54

Updated-06 Aug, 2025 | 18:49

Execution with Unnecessary Privileges in GitLab

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.1 prior to 17.6.0, which allows an attacker with maintainer role to trigger a pipeline as project owner under certain circumstances.

Vendor-GitLab Inc.

Product-gitlab GitLab

CWE ID-CWE-250

Execution with Unnecessary Privileges

CVE-2025-5196

Credits

Wing FTP Server Lua Admin Console unnecessary privileges

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs