A critical security flaw identified as CVE-2025-47812 has been discovered in Wing FTP Server, a widely used cross-platform file transfer solution. This vulnerability, which has a CVSS score of 10.0, allows unauthenticated attackers to execute arbitrary code remotely, potentially leading to full system compromise. The issue has been addressed in version 7.4.4 of the software.
Vulnerability Details
The flaw arises from improper handling of null (‘\0’) bytes in the server’s web interface, specifically within the `/loginok.html` endpoint. This mishandling permits attackers to inject arbitrary Lua code into user session files. When these session files are processed, the injected code can execute system commands with the privileges of the FTP service, which are typically root on Linux systems and NT AUTHORITY\SYSTEM on Windows systems.
Exploitation in the Wild
Cybersecurity firm Huntress has observed active exploitation of this vulnerability. Attackers have been seen downloading and executing malicious Lua files, conducting reconnaissance, and installing remote monitoring and management software. Notably, the flaw can be exploited via anonymous FTP accounts, increasing the risk of unauthorized access.
Technical Breakdown
The vulnerability is rooted in how the server processes the `username` parameter during authentication. By appending a null byte to the username, an attacker can disrupt the expected input processing, allowing for Lua code injection. This injected code is then executed when the session is loaded, granting the attacker the ability to run arbitrary commands with elevated privileges.
Scope of the Issue
Data from Censys indicates that there are 8,103 publicly accessible devices running Wing FTP Server, with 5,004 exposing their web interfaces. The majority of these instances are located in the United States, China, Germany, the United Kingdom, and India. This widespread deployment underscores the critical nature of the vulnerability and the importance of prompt remediation.
Mitigation Measures
Users and administrators are strongly advised to upgrade to Wing FTP Server version 7.4.4 or later to address this vulnerability. Additionally, reviewing and adjusting configurations related to anonymous access can further reduce the risk of exploitation.
Conclusion
The discovery and active exploitation of CVE-2025-47812 highlight the importance of timely software updates and vigilant system monitoring. Organizations using Wing FTP Server should prioritize applying the necessary patches and reviewing their security configurations to mitigate potential threats.
