CVE-2025-47812
📋 TL;DR
CVE-2025-47812 is a critical remote code execution vulnerability in Wing FTP Server that allows attackers to inject arbitrary Lua code via null byte handling flaws in web interfaces. This enables execution of system commands with FTP service privileges (typically root/SYSTEM), leading to complete server compromise. All Wing FTP Server installations before version 7.4.4 are affected, including those using anonymous FTP accounts.
💻 Affected Systems
- Wing FTP Server
📦 What is this software?
Wing Ftp Server by Wftpserver
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover with root/SYSTEM privileges, data theft, ransomware deployment, and lateral movement within the network.
Likely Case
Remote code execution leading to server compromise, data exfiltration, and potential deployment of malware or backdoors.
If Mitigated
Limited impact if proper network segmentation, least privilege, and monitoring are in place, though exploitation would still grant FTP service privileges.
🎯 Exploit Status
Exploitation is straightforward with public proof-of-concept code available. CISA has added this to its Known Exploited Vulnerabilities catalog.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.4.4
Vendor Advisory: https://www.wftpserver.com
Restart Required: Yes
Instructions:
1. Download Wing FTP Server version 7.4.4 or later from the official website. 2. Stop the FTP service. 3. Install the updated version. 4. Restart the FTP service.
🔧 Temporary Workarounds
Disable Anonymous FTP Access
allPrevents exploitation via anonymous accounts by disabling anonymous FTP functionality.
Edit Wing FTP Server configuration to set 'AllowAnonymous=0' in the server settings
Network Access Control
allRestrict access to Wing FTP Server web interfaces to trusted IP addresses only.
Configure firewall rules to allow only specific IPs to access FTP server ports (typically 21, 80, 443, 5466)
🧯 If You Can't Patch
- Isolate the FTP server in a segmented network zone with strict egress filtering
- Implement application allowlisting to prevent execution of unauthorized binaries
🔍 How to Verify
Check if Vulnerable:
Check Wing FTP Server version in admin interface or via 'wingftpserver --version' command. If version is below 7.4.4, the system is vulnerable.Check Version:
wingftpserver --versionVerify Fix Applied:
Confirm version is 7.4.4 or higher using the same version check method.📡 Detection & Monitoring
Log Indicators:
- Unusual Lua code execution in session files
- Suspicious FTP commands containing null bytes or Lua patterns
- Unexpected process execution from FTP service account
Network Indicators:
- HTTP/FTP requests containing '%00' or null byte sequences
- Unusual outbound connections from FTP server
SIEM Query:
source="wingftp" AND (message="*%00*" OR message="*lua*" OR process="*cmd*" OR process="*powershell*")🔗 References
- https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/
- https://www.vicarius.io/vsociety/posts/cve-2025-47812-detection-script-remote-code-execution-vulnerability-in-wing-ftp-server
- https://www.vicarius.io/vsociety/posts/cve-2025-47812-mitigation-script-remote-code-execution-vulnerability-in-wing-ftp-server
- https://www.wftpserver.com
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-47812
- https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild
