CVE-2025-27889: 
Wing FTP Server vulnerability analysis and mitigation

Wing FTP Server before version 7.4.4 contains a critical information disclosure vulnerability (CVE-2025-27889) that affects the downloadpass.html endpoint. The vulnerability was discovered and reported by security researcher Julien Ahrens and was fixed in Wing FTP Server version 7.4.3, released on March 26, 2025 (RCE Security, NVD).

The vulnerability stems from improper validation and sanitization of the url parameter in the downloadpass.html endpoint. When exploited, it allows an attacker to inject an arbitrary link that, when clicked by a user, can disclose their cleartext password to the attacker. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) by NVD with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, though MITRE initially assessed it with a lower score of 3.4 (NVD).

The vulnerability can lead to the disclosure of user credentials in cleartext. A successful exploitation could allow attackers to obtain valid user passwords, potentially leading to unauthorized access to the FTP server. This vulnerability is particularly concerning as it can be used in combination with other vulnerabilities to achieve remote code execution with elevated privileges (Help Net Security).

The vulnerability has been fixed in Wing FTP Server version 7.4.3, released on March 26, 2025. Organizations are strongly advised to upgrade to this version or later to protect against this vulnerability. No alternative workarounds have been published (NVD).