CVE-2025-47812: 
Wing FTP Server vulnerability analysis and mitigation

CVE-2025-47812 is a critical remote code execution vulnerability affecting Wing FTP Server versions before 7.4.4. The vulnerability was discovered in June 2025 and publicly disclosed on June 30, 2025. The flaw exists in both the user and admin web interfaces where they improperly handle null ('\0') bytes, allowing injection of arbitrary Lua code into user session files. This vulnerability can be exploited to execute arbitrary system commands with root or SYSTEM privileges, which are the default service permissions (RCE Security, Hacker News).

The vulnerability stems from how null bytes are handled in the username parameter, specifically related to the loginok.html file that handles the authentication process. The flaw occurs when the application's c_CheckUser() function processes the username using strlen(), which only counts characters until it reaches the NULL-byte terminator. This allows attackers to bypass authentication checks and inject arbitrary Lua code that gets executed when the session file is loaded. The vulnerability has received a CVSS v3.1 score of 10.0 (Critical), indicating the highest possible severity (NVD, RCE Security).

The vulnerability allows attackers to execute arbitrary system commands with the privileges of the FTP service, which runs as root on Linux systems and SYSTEM on Windows by default. According to Censys data, there are 8,103 publicly-accessible devices running Wing FTP Server, with 5,004 having their web interface exposed. The majority of affected instances are located in the U.S., China, Germany, the U.K., and India (Hacker News).

Organizations are strongly advised to upgrade to Wing FTP Server version 7.4.4 or later, which contains the fix for this vulnerability. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-47812 to its Known Exploited Vulnerabilities (KEV) Catalog, requiring Federal Civilian Executive Branch agencies to apply the fixes by August 4, 2025 (Hacker News).