A Leader in the 2025 Gartner® Magic Quadrant™ for Endpoint Protection Platforms. Five years running.A Leader in the Gartner® Magic Quadrant™Read the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI Security Portfolio
      Leading the Way in AI-Powered Security Solutions
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly ingest data from on-prem, cloud or hybrid environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Identity Security
    • Singularity Identity
      Identity Threat Detection and Response
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-class Expertise and Threat Intelligence.
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      Digital Forensics, IRR & Breach Readiness
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive solutions for seamless security operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • Partner Locator
      Your go-to source for our top partners in your region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-47811

CVE-2025-47811: Wing FTP Server Privilege Escalation

CVE-2025-47811 is a privilege escalation vulnerability in Wing FTP Server through 7.4.4 where the administrative web interface runs as root or SYSTEM. This article covers technical details, affected versions, and mitigations.

Updated: January 22, 2026

CVE-2025-47811 Overview

CVE-2025-47811 is a privilege escalation vulnerability affecting Wing FTP Server through version 7.4.4. The administrative web interface, which listens by default on port 5466, runs with root or SYSTEM privileges. The web application provides legitimate mechanisms to execute arbitrary system commands through the web console or task scheduler, and these commands are automatically executed in the highest possible privilege context. This design flaw allows administrative users of the web interface—who are not necessarily system administrators—to escalate their privileges and execute commands with root/SYSTEM permissions.

Critical Impact

Web application administrators can execute arbitrary system commands with root/SYSTEM privileges, potentially leading to complete system compromise.

Affected Products

  • Wing FTP Server versions through 7.4.4
  • Installations with administrative web interface enabled on port 5466
  • Windows (SYSTEM) and Linux/Unix (root) deployments

Discovery Timeline

  • 2025-07-10 - CVE-2025-47811 published to NVD
  • 2025-07-17 - Last updated in NVD database

Technical Details for CVE-2025-47811

Vulnerability Analysis

The vulnerability stems from an insecure default configuration where the Wing FTP Server's administrative web interface runs with elevated privileges. The application provides built-in functionality for executing system commands through the web console and task scheduler features. When an attacker gains access to the administrative web interface, they can leverage these legitimate features to execute arbitrary commands with root (on Unix/Linux) or SYSTEM (on Windows) privileges.

This represents a vertical privilege escalation scenario where web application administrators—a role that should be logically separated from operating system administrators—can gain full system-level access. The vendor has reportedly stated this behavior is intended and will be maintained, which increases the long-term risk for organizations using this product.

The vulnerability is related to CVE-2025-47812, which can be leveraged to gain the initial privileged application role if an attacker does not already have administrative access.

Root Cause

The root cause is classified as CWE-267 (Privilege Defined With Unsafe Actions). The Wing FTP Server administrative web interface executes with unnecessarily elevated privileges (root/SYSTEM) by default, and the application design allows web administrators to trigger system command execution. This violates the principle of least privilege, as the administrative web interface should run with minimal permissions necessary for its function, and command execution should be restricted or run with reduced privileges.

Attack Vector

The attack vector is network-based, requiring authenticated access to the administrative web interface. An attacker with administrative credentials to the Wing FTP web interface can:

  1. Access the administrative panel on port 5466
  2. Navigate to the web console or task scheduler functionality
  3. Execute arbitrary system commands that run with root/SYSTEM privileges
  4. Achieve complete system compromise without requiring OS-level administrative access

The attack can be executed remotely over the network, requires high privileges (administrative web access), but has low complexity and requires no user interaction. The scope is changed, meaning the vulnerability can affect resources beyond the vulnerable component's security scope.

Detection Methods for CVE-2025-47811

Indicators of Compromise

  • Unusual command execution events originating from the Wing FTP Server process
  • Unexpected processes spawned as child processes of the Wing FTP Server service
  • Administrative logins to port 5466 from unexpected IP addresses or at unusual times
  • Task scheduler entries created with suspicious command payloads

Detection Strategies

  • Monitor Windows Event Logs or Unix syslog for process creation events where the parent process is the Wing FTP Server service
  • Implement network monitoring for connections to port 5466 from non-authorized IP ranges
  • Review Wing FTP Server audit logs for web console command execution and task scheduler modifications
  • Deploy endpoint detection and response (EDR) solutions to identify suspicious command execution patterns

Monitoring Recommendations

  • Enable detailed audit logging in Wing FTP Server for administrative actions
  • Configure SIEM alerts for command execution through the web console
  • Implement privileged access monitoring for the Wing FTP administrative interface
  • Monitor for lateral movement following any suspicious activity from the FTP server host

How to Mitigate CVE-2025-47811

Immediate Actions Required

  • Restrict network access to the administrative web interface (port 5466) using firewall rules
  • Limit administrative web interface access to trusted IP addresses only
  • Review and audit all accounts with administrative access to the Wing FTP web interface
  • Consider running Wing FTP Server under a dedicated service account with reduced privileges where possible

Patch Information

As of the last update on 2025-07-17, no vendor patch is available for this vulnerability. The vendor has reportedly stated this behavior is intentional and will be maintained. Organizations should implement compensating controls until the vendor reconsiders this design decision. For additional technical context, see the RCE Security CVE-2025-47812 Analysis which discusses related vulnerabilities.

Workarounds

  • Implement strict network segmentation to isolate the Wing FTP Server administrative interface from untrusted networks
  • Deploy multi-factor authentication in front of the administrative interface using a reverse proxy or VPN
  • Consider alternative FTP server solutions that implement proper privilege separation
  • Disable web console and task scheduler features if they are not operationally required
bash
# Example firewall configuration to restrict administrative interface access
# Only allow administrative access from trusted management network
iptables -A INPUT -p tcp --dport 5466 -s 10.0.100.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 5466 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePrivilege Escalation
  • Vendor/TechWing Ftp Server
  • SeverityMEDIUM
  • CVSS Score6.6
  • EPSS Probability0.06%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityLow
  • CWE References
  • CWE-267
  • Technical References
  • RCE Security CVE-2025-47812 Analysis
  • WFTP Server Overview
  • Related CVEs
  • CVE-2025-47812
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • English
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use