A severe security vulnerability, tracked as CVE-2025-47812, has been identified in Wing FTP Server versions up to and including 7.4.3.
This flaw, classified under CWE-94: Code Injection, carries a maximum CVSSv4 score of 10.0, indicating its criticality and ease of exploitation.
The vulnerability was discovered by security researcher Julien Ahrens from RCE Security and publicly disclosed on June 30, 2025.
Exploiting a NULL Byte Handling Flaw
Wing FTP Server is a widely used, cross-platform FTP solution supporting multiple protocols, including FTP, FTPS, HTTP, HTTPS, and SFTP.
Its web-based administration and flexible connectivity make it popular among enterprises and small businesses alike.
The vulnerability resides in the server’s handling of the /loginok.html endpoint.
Specifically, the server fails to properly sanitize the “username” parameter when it contains NULL bytes.
This oversight enables attackers to inject arbitrary Lua code into user session files.
If exploited, this allows an attacker to execute any command on the underlying system with the same privileges as the Wing FTP Server process—typically root on Linux or NT AUTHORITY/SYSTEM on Windows.
A proof-of-concept exploit demonstrates how an attacker can craft a malicious POST request to the vulnerable endpoint:
textPOST /loginok.html HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
Content-Length: 121
username=anonymous%00]]%0dlocal+h+%3d+io.popen("id")%0dlocal+r+%3d+h%3aread("*a")%0dh%3aclose()%0dprint(r)%0d--&password=correct
This payload injects Lua code that executes the id command, demonstrating arbitrary command execution.
The risk is heightened if the server allows anonymous access, as it enables fully unauthenticated remote code execution.
Mitigation and Industry Response
Upon notification, the vendor promptly released Wing FTP Server version 7.4.4, which addresses this vulnerability.
All users are strongly urged to update immediately to mitigate the risk of exploitation.
RCE Security emphasizes the importance of continuous vulnerability management and rapid response.
Their approach involves continuous penetration testing, external attack surface management, and detailed, actionable reporting to ensure vulnerabilities like CVE-2025-47812 are identified and remediated before malicious actors can exploit them.
This incident underscores the critical need for robust input validation and regular software updates in all internet-facing services.
Organizations running Wing FTP Server should prioritize patching and review their server configurations, especially regarding anonymous access permissions, to minimize exposure.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=This flaw, classified under CWE-94: Code Injection, carries a maximum CVSSv4 score of 10.0, indicating its criticality and ease of exploitation.){kind=link}