CVE-2025-27889

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: Wing FTP Server versions prior to 7.4.4

Description: Wing FTP Server does not properly validate and sanitize the url parameter of the /downloadpass.html API endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker.

Recommendations: Update Wing FTP Server to version 7.4.4 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-15

Related Identifiers

BDU:2025-09369

CVE-2025-27889

Affected Products

Wing Ftp Server

CVE-2025-27889

Weakness Enumeration

Related Identifiers

Affected Products

References · 16