Want to stay ahead of threats in 2025? This research report is all you need to stay updated.
Get a Demo

Vulnerabilities

CVE-2025-47812

Wing FTP Server Hit by Critical RCE Vulnerability: CVE-2025-47812 Explained

Vulnerability Overview 

CVE ID: CVE-2025-47812 

CVE Title: Wing FTP Server Null Byte Injection and Remote Code Execution 

Severity: Critical  

Exploit Status: Actively exploited in the wild, public PoC available 

Business Risk: This vulnerability allows attackers to fully take over affected servers without logging in. They can steal data, install malware, stay hidden, and disrupt operations. 

Compliance Impact: High potential for violations of standards like HIPAA, PCI-DSS, and GDPR due to unauthorized access, uncontained malware spread, and exfiltration of sensitive files.

Summary

CVE-2025-47812 is a critical remote code execution vulnerability in Wing FTP Server versions before 7.4.4, caused by improper handling of null (\0) bytes in the login interface. It allows unauthenticated attackers to inject Lua code into session files and execute system commands with root or SYSTEM privileges. The flaw is exploitable even via anonymous FTP accounts and has been actively used for reconnaissance, persistence, and malware delivery attempts. Over 8,000 exposed servers are affected worldwide. CISA added the bug to its Known Exploited Vulnerabilities Catalog on July 14, 2025.

Urgent Actions Required

  • Update Wing FTP Server to version 7.4.4 or later immediately.
  • Disable or restrict HTTP/HTTPS access to the Wing FTP web interface if patching is not yet possible.
  • Disable anonymous FTP logins to reduce the attack surface.
  • Monitor the session directory for suspicious .lua files or unexpected user session behavior.
  • Review logs for unusual login attempts or reconnaissance activity via malformed usernames.

Which Systems Are Vulnerable to CVE-2025-47812?

Technical Overview

  • Vulnerability Type: Remote Code Execution via Null Byte and Lua Injection
  • Affected Software/Versions:
    Wing FTP Server versions prior to 7.4.4
  • Attack Vector: Network (HTTP/HTTPS, FTP)
  • CVSS Score: 10.0
  • Exploitability Score:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
  • Patch Availability: Yes, available in version 7.4.4
    FTP Server Download[3]
    Wing FTP Server History[7]

How Does the CVE-2025-47812 Exploit Work?

The attack typically follows these steps:

How Does the CVE-2025-47812 Exploit Work

What Causes CVE-2025-47812?

Vulnerability Root Cause:  

The vulnerability happens because Wing FTP Server doesn’t properly handle NULL (\0) bytes in usernames. Attackers can insert harmful Lua code into session files, which the server later runs with full system privileges. This leads to remote code execution, even without logging in or using anonymous FTP.

How Can You Mitigate CVE-2025-47812?

If immediate patching is delayed or not possible:  

  • Limit Wing FTP Server login access to trusted IP addresses using firewall rules. 
  • Turn off anonymous FTP accounts or limit what they can do. 
  • Watch server logs for unusual logins or changes to session files. 
  • Use a WAF to block requests with suspicious NULL byte characters in usernames. 
  • Regularly check session files for any unexpected code or changes. 
  • Test the server with special payloads to make sure Lua code injection attempts are stopped or recorded.

Which Assets and Systems Are at Risk?

Asset Types Affected:

  • Wing FTP Server installations running versions prior to 7.4.4
  • FTP and SFTP services relying on Wing FTP Server
  • Web interfaces and admin panels of Wing FTP Server

Business-Critical Systems at Risk:

  • File transfer services exposing sensitive or critical data
  • Systems where Wing FTP Server runs with root or SYSTEM privileges
  • Servers allowing anonymous FTP access that may be exploited remotely

Exposure Level:

  • Internet-facing FTP/SFTP servers running vulnerable Wing FTP Server versions
  • Internal servers with Wing FTP Server not yet patched
  • Any environment where user session files are created and processed by the server

Will Patching CVE-2025-47812 Cause Downtime?

Patch application impact: Moderate. To fix this critical remote code execution vulnerability, update Wing FTP Server to version 7.4.4 or later. Applying the patch typically requires restarting the FTP service, which may cause brief service interruptions or downtime depending on the deployment environment and server configuration. Plan accordingly to minimize impact, especially on production or internet-facing servers. 

Mitigation (if immediate patching is not possible): Partial risk reduction can be achieved by restricting or blocking FTP/SFTP anonymous logins and closely monitoring access. However, there is no complete mitigation until the official patch is applied. All vulnerable servers remain at high risk of full compromise until updated.

How Can You Detect CVE-2025-47812 Exploitation?

Exploitation Signatures:

  • Crafted login requests with the username parameter containing NULL bytes (\0) followed by Lua code injection patterns.
  • POST requests to /loginok.html with suspicious payloads attempting to inject code via the username field.
  • Subsequent GET requests to /dir.html using returned UID cookies that trigger execution of injected Lua code.

MITRE ATT&CK Mapping:

  • T1190[5] – Exploit Public-Facing Application
  • T1059[6] – Command and Scripting Interpreter

Indicators of Compromise (IOCs/IOAs):

  • Presence of unusual NULL byte encoded sequences (%00) in login POST data.
  • Unexpected UID cookie values returned after login attempts with injected payloads.
  • Execution of unexpected commands or abnormal server responses on accessing authenticated endpoints like /dir.html.

Behavioral Indicators:

  • Arbitrary system commands executed via web interface without valid authentication.
  • Sudden or unexplained privilege escalation to root or SYSTEM on the server.
  • Web sessions containing injected Lua code fragments in session files.

Alerting Strategy:

  • Priority: Critical
  • Trigger alerts for:
    • Login attempts containing NULL bytes in username or password parameters.
    • Anomalous commands or output returned after authenticated web interface access.
    • Unexpected UID cookies or session file modifications indicative of code injection

Remediation & Response

Patch/Upgrade Instructions:

  • Update Wing FTP Server to version 7.4.4 or later, which fixes the remote code execution vulnerability.[3]
  • Follow the vendor’s official guidance for applying the update: https://www.wftpserver.com

Mitigation Steps if No Patch:

  • Restrict access to the FTP service from untrusted networks or anonymous users where possible.
  • Monitor and block suspicious login attempts that include NULL byte (%00) sequences in the username parameter.
  • Implement strict input validation or filtering at web application firewalls (WAFs) or proxies to detect and block injection attempts targeting the username field.
  • Log all login requests and subsequent authenticated access to detect abnormal command execution or session behaviors.

Remediation Timeline:

  • Immediate (0–2 hrs): Apply network-level restrictions and monitoring for suspicious login patterns.
  • Within 24 hrs: Patch all affected Wing FTP Server instances to version 7.4.4 or above.
  • Within 48 hrs: Verify all environments have been updated and monitor logs for exploitation attempts.

Rollback Plan:

  • If the patch introduces operational issues, revert to the previous stable version and strengthen access controls and monitoring as temporary compensations.
  • Document all rollback actions in change-management records including timestamps, responsible personnel, and version details.

Incident Response Considerations:

  • Isolate affected servers promptly to prevent further exploitation and privilege escalation.
  • Collect forensic data such as server logs, session files, and network traffic related to suspicious login and authenticated access events.
  • Investigate for signs of arbitrary command execution or unauthorized root/SYSTEM-level activity.
  • After patching, enhance logging around login inputs and session management to detect future injection attempts and verify mitigation effectiveness.

Compliance & Governance Notes

Audit Trail Requirement:

  • Log all login attempts with username parameters containing unusual or NULL byte (%00) sequences, including timestamp, source IP, and requested URI.
  • Record patch deployment details including date, time, responsible personnel, affected servers, and version updated to 7.4.4 or later.
  • Maintain a revision-controlled change log for Wing FTP Server upgrades and vulnerability remediation steps.

Policy Alignment:

  • Update Vulnerability Management Policy to include rapid patching and monitoring of Wing FTP Server versions up to 7.4.3.
  • Incorporate monitoring and filtering policies to detect and block malformed usernames with NULL byte injection attempts.
  • Revise Incident Response Plan to cover remote code execution scenarios involving session file manipulation and privilege escalation on FTP servers.

Where Can I Find More Information on CVE-2025-47812?

CVE References:

    1. ^NVD – CVE-2025-47812
    2. ^GitHub Advisory by 4m3rr0r (PoC & Details)
    3. ^Wing FTP Server Official Site & Downloads
    4. ^CISA Known Exploited Vulnerabilities Catalog – CVE-2025-47812
    5. ^T1190 – Exploit Public-Facing Application
    6. ^T1059 – Command and Scripting Interpreter
    7. ^Wing FTP Server History

CVSS Breakdown Table

MetricValue Description
Base Score10Critical severity indicating total server compromise upon successful exploitation (per MITRE CNA)
Attack VectorNetworkExploitable remotely over the network without local access
Attack ComplexityLowStraightforward exploitation without special conditions
Privileges RequiredNoneNo authentication or elevated privileges needed to exploit
User Interaction NoneNo user action required for exploitation
Scope Unchanged Exploitation leads to complete compromise of the affected system, impacting beyond initial component
Confidentiality Impact HighFull system compromise allows disclosure of sensitive data
Integrity ImpactHighExploit enables arbitrary code execution and modification of system state
Availability Impact HighSuccessful exploit can fully compromise availability (root/SYSTEM level access)

Know what’s happening on your network and stop threats fast

Download the Data Sheet

Related Readings

One Platform for All Adversaries

See Fidelis in action. Learn how our fast and scalable platforms provide full visibility, deep insights, and rapid response to help security teams across the World protect, detect, respond, and neutralize advanced cyber adversaries.

Get a Demo