CVE-2019-25306 in FTP Server
Summary
by MITRE • 02/11/2026
BlackMoon FTP Server 3.1.2.1731 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to insert malicious code that would execute with LocalSystem account permissions during service startup.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/11/2026
The vulnerability identified as CVE-2019-25306 affects BlackMoon FTP Server version 3.1.2.1731 and represents a critical security flaw stemming from an unquoted service path configuration. This type of vulnerability falls under the category of path traversal and privilege escalation issues, specifically categorized as CWE-16 in the Common Weakness Enumeration framework. The flaw exists when the service installation process fails to properly quote the executable path, creating opportunities for attackers to manipulate the system's service execution flow. The vulnerability is particularly dangerous because it allows local attackers to gain elevated privileges during service startup, when the system runs the service with LocalSystem account permissions.
The technical exploitation of this vulnerability relies on the Windows service configuration mechanism where the operating system searches for executables in the specified path according to the system's PATH environment variable. When a service path is not properly quoted, Windows attempts to execute files in the path in sequence until it finds a matching executable. Attackers can place malicious executables in directories that appear earlier in the PATH, causing the system to execute their code instead of the legitimate service binary. This behavior is particularly concerning in the context of system-level services running with LocalSystem privileges, which possess extensive system access rights and can modify critical system components.
The operational impact of CVE-2019-25306 extends beyond simple privilege escalation as it provides attackers with a persistent foothold within the compromised system. When the affected BlackMoon FTP service starts, the malicious code inserted into the PATH will execute with elevated privileges, potentially allowing attackers to install rootkits, modify system files, or establish backdoors. This vulnerability demonstrates a fundamental flaw in service installation practices and highlights the importance of proper service configuration management. The attack vector requires local system access and is typically classified as a local privilege escalation vulnerability within the MITRE ATT&CK framework under the technique of privilege escalation through service misconfiguration.
Mitigation strategies for this vulnerability primarily focus on correcting the service installation configuration by properly quoting the executable path during service setup. System administrators should immediately apply the vendor-provided patch or update to version 3.1.2.1732 which addresses this specific flaw. Additionally, implementing the principle of least privilege through service hardening practices can reduce the impact of such vulnerabilities. Regular security audits should verify that all installed services have properly quoted paths, and system monitoring should detect unusual service startup patterns. The vulnerability also underscores the importance of secure configuration management practices and adherence to security guidelines such as those outlined in the Center for Internet Security (CIS) benchmarks for Windows services. Organizations should conduct periodic assessments of their service configurations to identify and remediate similar unquoted path vulnerabilities across their infrastructure.