CVE-2019-25306 Overview
CVE-2019-25306 is an unquoted service path vulnerability affecting BlackMoon FTP Server version 3.1.2.1731. This security flaw allows local users to potentially execute arbitrary code with elevated system privileges by exploiting the improperly quoted binary path in the Windows service configuration. When the service starts, Windows may execute a malicious binary placed in a strategic location along the unquoted path, granting attackers LocalSystem account permissions.
Critical Impact
Local attackers can achieve privilege escalation to SYSTEM-level access by exploiting the unquoted service path, potentially leading to complete system compromise.
Affected Products
- BlackMoon FTP Server 3.1.2.1731
Discovery Timeline
- 2026-02-11 - CVE-2019-25306 published to NVD
- 2026-02-11 - Last updated in NVD database
Technical Details for CVE-2019-25306
Vulnerability Analysis
This vulnerability is classified under CWE-428 (Unquoted Search Path or Element), a common configuration flaw in Windows services. When a Windows service is installed with a path containing spaces that is not properly enclosed in quotation marks, the operating system interprets the path ambiguously during service startup.
The BlackMoon FTP Server service executable path likely contains spaces (such as C:\Program Files\BlackMoon FTP Server\bmftp.exe). Without proper quoting, Windows attempts to resolve the path by sequentially checking for executables at each space boundary. An attacker with local access and write permissions to directories earlier in the path hierarchy can plant a malicious executable that Windows will execute instead of the legitimate service binary.
The vulnerability requires local access and the ability to write to specific filesystem locations, but successful exploitation results in code execution under the highly privileged LocalSystem account context.
Root Cause
The root cause is improper service registration during BlackMoon FTP Server installation. The installer failed to enclose the service binary path in quotation marks within the Windows Service Control Manager (SCM) registry entries. This is a common oversight in legacy Windows applications where developers did not account for paths containing spaces.
Attack Vector
The attack requires local access to the target system. An attacker must:
- Identify the unquoted service path for the BlackMoon FTP Server service
- Determine writable directories along the path hierarchy
- Place a malicious executable at a location that Windows will check before reaching the legitimate binary
- Wait for or trigger a service restart
For example, if the service path is C:\Program Files\BlackMoon FTP Server\bmftp.exe, an attacker could place a malicious Program.exe in C:\ (if writable) or BlackMoon.exe in C:\Program Files\ to have their code executed with SYSTEM privileges when the service starts.
Additional technical details and proof-of-concept information can be found in the Exploit-DB #47521 entry and the VulnCheck Advisory.
Detection Methods for CVE-2019-25306
Indicators of Compromise
- Unexpected executable files in root directories (e.g., C:\Program.exe, C:\BlackMoon.exe)
- New or modified executables in C:\Program Files\ that don't correspond to legitimate software
- Service startup failures or unusual service behavior for BlackMoon FTP Server
- Event log entries indicating service path resolution anomalies
Detection Strategies
- Query Windows services for unquoted paths using PowerShell: Get-WmiObject win32_service | Where-Object {$_.PathName -notlike '"*"' -and $_.PathName -like '* *'}
- Monitor for file creation events in directories along service paths (e.g., C:\, C:\Program Files\)
- Implement file integrity monitoring on critical system directories
- Use SentinelOne's behavioral AI to detect privilege escalation attempts via service manipulation
Monitoring Recommendations
- Enable Windows Security Event logging for service state changes (Event IDs 7035, 7036)
- Configure alerts for new executable files created in system root directories
- Monitor process creation events where parent process is services.exe with unexpected child executables
- Implement SentinelOne endpoint protection to detect and block malicious privilege escalation attempts
How to Mitigate CVE-2019-25306
Immediate Actions Required
- Audit all Windows services for unquoted paths using the detection query provided above
- Manually correct the BlackMoon FTP Server service path by adding quotation marks in the registry
- Review filesystem permissions on directories along the service path to ensure only administrators have write access
- Consider replacing BlackMoon FTP Server with actively maintained FTP server software
Patch Information
No vendor patch has been identified for this vulnerability. BlackMoon FTP Server appears to be legacy software with limited support. Organizations should consider migrating to alternative, actively maintained FTP server solutions. For reference, the Tucows Software Preview page provides product information.
Workarounds
- Manually quote the service path in the Windows registry under HKLM\SYSTEM\CurrentControlSet\Services\<ServiceName>\ImagePath
- Restrict write permissions on all directories in the service path hierarchy to administrators only
- Use Windows Software Restriction Policies or AppLocker to prevent execution of unauthorized binaries
- Consider uninstalling BlackMoon FTP Server if not critical to operations and migrating to a more secure alternative
# Registry fix to quote the service path (run as Administrator in PowerShell)
# First, identify the service name and current path:
# Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\BMFTPService" -Name ImagePath
# Then update with quoted path:
# Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\BMFTPService" -Name ImagePath -Value '"C:\Program Files\BlackMoon FTP Server\bmftp.exe"'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
