SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-47812

CVE-2025-47812: Wing FTP Server RCE Vulnerability

CVE-2025-47812 is a critical RCE vulnerability in Wing FTP Server that allows attackers to inject Lua code and execute system commands with root privileges. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-47812 Overview

In Wing FTP Server before version 7.4.4, the user and admin web interfaces mishandle \0 bytes, which allows the injection of arbitrary Lua code into user session files. This enables execution of arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is a remote code execution vulnerability, providing a means for complete server compromise, and is exploitable via anonymous FTP accounts.

Critical Impact

This vulnerability allows full system compromise via arbitrary code execution with root or SYSTEM privileges.

Affected Products

  • Wing FTP Server (all versions before 7.4.4)

Discovery Timeline

  • 2025-07-10 - CVE CVE-2025-47812 published to NVD
  • 2025-11-05 - Last updated in NVD database

Technical Details for CVE-2025-47812

Vulnerability Analysis

The flaw results from improper handling of null byte (\0) inputs by the user and admin web interfaces. This mishandling allows attackers to inject Lua scripts into session files, facilitating remote command execution with elevated privileges.

Root Cause

The vulnerability is rooted in the web interfaces' failure to sanitize inputs that include embedded null bytes, allowing code injection into session management files processed by the FTP server.

Attack Vector

This is an externally exploitable vulnerability via the network, accessible through both authenticated and unauthenticated channels, including anonymous FTP access.

lua
-- Example exploitation code (sanitized)
local payload = "os.execute('whoami')"
local injected_session_file = "|\0" .. payload .. "\0|"

Detection Methods for CVE-2025-47812

Indicators of Compromise

  • Unexpected system command executions via init.lua
  • Modification of FTP user session files
  • Unusual log entries or connections to the FTP service

Detection Strategies

Employ file integrity monitoring tools to detect unauthorized changes to session files and init.lua. Leverage intrusion detection systems (IDS) to flag suspicious activity involving \0 byte patterns in FTP communication.

Monitoring Recommendations

Regularly audit FTP server logs for irregular command executions and session file modifications. Utilize network traffic analysis to identify patterns consistent with exploitation attempts.

How to Mitigate CVE-2025-47812

Immediate Actions Required

  • Disable anonymous FTP access if not necessary
  • Restrict FTP access to trusted IP ranges
  • Implement least privilege principles and review service account permissions

Patch Information

A security patch has been released by the vendor, updating Wing FTP Server to version 7.4.4. It is crucial to apply this patch immediately to mitigate the vulnerability.

Workarounds

As an interim measure, administrators can disable the web management interface or restrict access using firewall rules to trusted IPs only.

bash
# Configuration example
iptables -I INPUT -p tcp -s <trusted_ip> --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne