A newly disclosed critical vulnerability in Wing FTP Server has been assigned CVE-2025-47812 with a maximum CVSSv4 score of 10.0, allowing unauthenticated attackers to achieve complete server control.
The vulnerability, discovered by security researcher Julien Ahrens from RCE Security, affects all versions of Wing FTP Server up to and including version 7.4.3.
Key Takeaways
1. CVE-2025-47812, critical RCE vulnerability in Wing FTP Server ≤7.4.3 via NULL byte injection in /loginok.html endpoint.
2. Complete server takeover with root/SYSTEM privileges; maximum CVSSv4 score of 10.0.
3. Update to version 7.4.4 immediately; review anonymous access configurations.
This remote code execution (RCE) flaw exploits improper NULL byte handling in the server’s authentication mechanism, enabling attackers to inject arbitrary Lua code and execute system commands with elevated privileges.
Code Injection Vulnerability
The vulnerability resides in the /loginok.html endpoint, which fails to properly sanitize NULL bytes when processing the username parameter.
This CWE-94 code injection weakness allows attackers to break out of the intended parameter context and inject malicious Lua code into user session files.
The exploit mechanism leverages the server’s Lua scripting engine, which Wing FTP Server uses internally for various operations.
The proof-of-concept payload demonstrates the severity of this vulnerability:
This payload exploits the NULL byte (%00) to terminate the username string prematurely, followed by Lua code that executes system commands through io.popen().
The injected code can execute arbitrary operating system commands, including id in this example, which returns user information on Unix-like systems.
The vulnerability’s impact is particularly severe because Wing FTP Server typically runs with elevated privileges, as root on Linux systems and NT AUTHORITY/SYSTEM on Windows platforms.
This means successful exploitation grants attackers complete administrative control over the affected server, not just the FTP service itself.
The attack vector is especially dangerous for servers configured to allow anonymous FTP access, as it provides a completely unauthenticated path to system compromise.
| Risk Factors | Details |
| Affected Products | Wing FTP Server ≤ 7.4.3 |
| Impact | Remote Code Execution (RCE) |
| Exploit Prerequisites | Unauthenticated access to /loginok.html endpoint, Network access to target server |
| CVSS 3.1 Score | 10.0 (Critical) |
Immediate Remediation Required
Organizations running Wing FTP Server must immediately update to version 7.4.4, which was released on May 14, 2025, specifically to address this vulnerability.
The vendor, Wing FTP Server team, acknowledged the issue as a critical bug and implemented proper input validation to prevent NULL byte injection attacks.
The vulnerability was responsibly disclosed following a coordinated timeline, with the vendor confirming the issue within hours of notification and releasing a patch just four days later.
System administrators should prioritize this update given the vulnerability’s maximum CVSS score and the potential for complete system compromise.
Additionally, organizations should review their FTP server configurations and consider implementing network-level protections such as firewalls and intrusion detection systems to monitor for exploitation attempts targeting this vulnerability.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
