Wing FTP Server Vulnerability Allows Full Server Takeover by Attackers
A newly disclosed critical vulnerability in Wing FTP Server threatens thousands of organizations worldwide, enabling attackers to achieve full server takeover through unauthenticated remote code execution (RCE).
The flaw, tracked as CVE-2025-47812, has been assigned a maximum CVSSv4 score of 10.0, underscoring its severity and ease of exploitation.
Vulnerability Details
The vulnerability, discovered by security researcher Julien Ahrens of RCE Security, affects Wing FTP Server versions up to and including 7.4.3.
The flaw stems from improper handling of NULL bytes in the /loginok.html endpoint when processing the username parameter. This oversight allows attackers to inject arbitrary Lua code into user session files.
| CVE ID | Affected Versions | CVSSv4 Score | Attack Vector | Solution |
| CVE-2025-47812 | ≤ 7.4.3 | 10.0 | Network | Update to 7.4.4 |
“Successful exploits can allow an unauthenticated attacker to execute arbitrary commands on the underlying server. Since Wing FTP runs as root on Linux and NT AUTHORITY/SYSTEM on Windows by default, this essentially means the total compromise of the underlying server,” the advisory warns.
If the server is configured to allow anonymous users—a common scenario for public-facing FTP services—the attack requires no authentication, making exploitation trivial for threat actors.
Proof of Concept
A simple HTTP POST request can trigger the vulnerability.
By crafting a malicious username parameter containing a NULL byte and Lua code, attackers can execute system-level commands.
For example, the following payload demonstrates the flaw:
POST /loginok.html HTTP/1.1
Host: localhost
...
username=anonymous%00]]%0dlocal+h+%3d+io.popen("id")%0dlocal+r+%3d+h%3aread("*a")%0dh%3aclose()%0dprint(r)%0d--&password=correctImmediate Remediation Recommended
The vendor has released Wing FTP Server version 7.4.4, which addresses the vulnerability. All users are urged to update immediately to prevent exploitation.
Organizations running affected versions should also review server logs for signs of compromise and restrict anonymous access where possible.
Timeline
- 2025-05-10: Vulnerability discovered and reported to vendor
- 2025-05-14: Patch released (version 7.4.4)
- 2025-06-30: Public disclosure
Wing FTP Server is a cross-platform file transfer solution supporting FTP, FTPS, HTTP, HTTPS, and SFTP protocols.
Its popularity and default high-privilege operation on both Linux and Windows make this vulnerability particularly dangerous.
The disclosure highlights the importance of continuous penetration testing and external attack surface management to identify and remediate vulnerabilities before attackers can exploit them.
Security experts recommend regular updates, strict access controls, and monitoring for suspicious activity to mitigate similar risks.
Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free
Source link
