Vulnerability Description
In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wftpserver | Wing Ftp Server | < 7.4.4 |
Related Weaknesses (CWE)
References
- https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-4ExploitThird Party Advisory
- https://www.vicarius.io/vsociety/posts/cve-2025-47812-detection-script-remote-coThird Party Advisory
- https://www.vicarius.io/vsociety/posts/cve-2025-47812-mitigation-script-remote-cMitigationThird Party Advisory
- https://www.wftpserver.comProduct
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-US Government Resource
- https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-478ExploitThird Party Advisory
FAQ
What is CVE-2025-47812?
CVE-2025-47812 is a vulnerability with a CVSS score of 10.0 (CRITICAL). In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitr...
How severe is CVE-2025-47812?
CVE-2025-47812 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-47812?
Check the references section above for vendor advisories and patch information. Affected products include: Wftpserver Wing Ftp Server.