CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2025-47812

CVSS 10.0v3.1pub. 2025-07-10upd. 2025-11-05

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

🤖 AI Analysis
How it works

The web interfaces of Wing FTP Server's user and administrator panels improperly handle NULL bytes ('\0'). An attacker can exploit this flaw to inject arbitrary Lua code into user session files. The injected Lua code is then executed in the context of the FTP service, allowing execution of arbitrary system commands. Importantly, the vulnerability can be exploited through anonymous FTP accounts — without requiring any authentication credentials.

Impact

The attacker gains the ability to execute arbitrary system commands with the privileges of the root user (Linux) or SYSTEM (Windows), resulting in complete server compromise, including access to data, configuration, and further network escalation.

Mitigation & patch

Wing FTP Server must be immediately updated to version 7.4.4 or later. If immediate patching is not possible, consider disabling anonymous FTP access and restricting access to web interfaces at the firewall level. Patch is available from the vendor at www.wftpserver.com.

Who is affected

Wing FTP Server in all versions before 7.4.4 (affects both Linux and Windows installations).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Wftpserver Wing Ftp Server

    APP
    Wftpserver
    < 7.4.4

CISA KEV — detailsi

Vendori
Wing FTP Server
Producti
Wing FTP Server
Added to KEVi
July 14, 2025
Remediation deadline (US Federal)i
August 4, 2025(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Wing FTP Server contains an improper neutralization of null byte or NUL character vulnerability that can allow injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default).

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 4 sierpnia 2025
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-44403HIGH8.6ten sam produkt

Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session seri...

CVE-2019-25267HIGH8.5ten sam produkt

Wing FTP Server 6.0.7 contains an unquoted service path vulnerability that allows local attackers to potential...

CVE-2020-37032HIGH8.6ten sam produkt

Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows ...

CVE-2025-5196HIGH7.5ten sam produkt

A vulnerability has been found in Wing FTP Server up to 7.4.3 and classified as critical. Affected by this vul...

CVE-2020-8635HIGH7.8ten sam produkt

Wing FTP Server v6.2.3 for Linux, macOS, and Solaris sets insecure permissions on installation directories and...