CVE-2019-25267 Overview
Wing FTP Server 6.0.7 contains an unquoted service path vulnerability (CWE-428) that allows local attackers to potentially execute arbitrary code with elevated system privileges. When the Windows service configuration for Wing FTP Server specifies an unquoted path containing spaces, attackers can place a malicious executable in a location that will be executed before the legitimate service binary, resulting in code execution with LocalSystem permissions.
Critical Impact
Local attackers with write access to directories in the service path can achieve privilege escalation to LocalSystem, gaining complete control over the affected Windows system.
Affected Products
- Wing FTP Server 6.0.7
- Windows installations with unquoted service paths
Discovery Timeline
- 2026-02-05 - CVE CVE-2019-25267 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2019-25267
Vulnerability Analysis
This vulnerability exists due to improper handling of the service executable path in the Windows service configuration. When a Windows service path contains spaces and is not enclosed in quotation marks, the Windows Service Control Manager (SCM) attempts to locate the executable by parsing the path at each space character. This behavior creates an opportunity for attackers to place a malicious executable in a parent directory that will be executed instead of the legitimate service binary.
For example, if the service is configured with a path like C:\Program Files\Wing FTP Server\wftpd.exe, Windows will attempt to execute binaries in the following order: C:\Program.exe, C:\Program Files\Wing.exe, and finally C:\Program Files\Wing FTP Server\wftpd.exe. An attacker who can write to C:\ or C:\Program Files\ could place a malicious executable that would be run with the service's privileges.
Root Cause
The root cause is the improper quoting of the executable path in the Windows service registry configuration. When Wing FTP Server is installed, the service path is stored without enclosing quotation marks. This allows the Windows path parsing behavior to be exploited when the path contains space characters, creating a privilege escalation vector.
Attack Vector
This is a local attack vector requiring the attacker to have authenticated access to the target system with write permissions to one of the directories in the parsed path sequence. The attack follows these steps:
- Attacker identifies that Wing FTP Server service has an unquoted path
- Attacker determines which directories in the path tree are writable
- Attacker places a malicious executable (e.g., Wing.exe) in a writable directory
- When the service starts or restarts, the malicious executable runs with LocalSystem privileges
- Attacker achieves privilege escalation and can execute arbitrary commands
The vulnerability requires local access but no user interaction, and the attacker needs only low-level privileges to exploit it.
Detection Methods for CVE-2019-25267
Indicators of Compromise
- Unexpected executable files in C:\Program Files\ directory with names like Wing.exe or Program.exe
- Unusual processes spawning from directories outside the legitimate Wing FTP Server installation path
- Service-related events in Windows Event Logs showing unexpected executable paths
- File system modifications in root directories or C:\Program Files\ by non-administrative users
Detection Strategies
- Query Windows services for unquoted paths using PowerShell: Get-WmiObject win32_service | Where-Object {$_.PathName -notlike '"*"' -and $_.PathName -like '* *'}
- Monitor file creation events in directories that could be exploited (e.g., C:\, C:\Program Files\)
- Implement SentinelOne behavioral AI to detect suspicious process spawning from service contexts
- Use endpoint detection rules to identify executables created in unusual locations with suspicious naming patterns
Monitoring Recommendations
- Enable file integrity monitoring on directories in the service path hierarchy
- Configure alerts for new executable files in C:\Program Files\ outside normal software installation patterns
- Monitor Windows Security Event Logs for service-related events (Event IDs 7045, 7040)
- Deploy SentinelOne Singularity XDR for real-time behavioral analysis of service execution anomalies
How to Mitigate CVE-2019-25267
Immediate Actions Required
- Audit all Windows services on affected systems for unquoted paths using the detection query provided above
- Manually correct the Wing FTP Server service path by adding quotation marks around the executable path in the registry
- Restrict write permissions on directories in the service path hierarchy to administrators only
- Update Wing FTP Server to the latest available version from the official website
Patch Information
Users should update Wing FTP Server to a version that properly quotes the service path during installation. Refer to the VulnCheck Advisory for detailed information about affected versions and remediation guidance. Additional technical details are available in Exploit-DB #47818.
Workarounds
- Manually add quotation marks to the service ImagePath registry value at HKLM\SYSTEM\CurrentControlSet\Services\<ServiceName>
- Restrict NTFS permissions on C:\Program Files\ and parent directories to prevent unauthorized file creation
- Use Windows Group Policy to audit and remediate unquoted service paths across the enterprise
- Implement application whitelisting to prevent execution of unauthorized executables in sensitive directories
# Configuration example - Fix unquoted service path via registry
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WingFTPServer" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Wing FTP Server\wftpd.exe\"" /f
# PowerShell - Audit for unquoted service paths
Get-WmiObject win32_service | Where-Object {$_.PathName -notlike '"*"' -and $_.PathName -like '* *'} | Select-Object Name, PathName
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
