In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.
The web interfaces of Wing FTP Server's user and administrator panels improperly handle NULL bytes ('\0'). An attacker can exploit this flaw to inject arbitrary Lua code into user session files. The injected Lua code is then executed in the context of the FTP service, allowing execution of arbitrary system commands. Importantly, the vulnerability can be exploited through anonymous FTP accounts — without requiring any authentication credentials.
The attacker gains the ability to execute arbitrary system commands with the privileges of the root user (Linux) or SYSTEM (Windows), resulting in complete server compromise, including access to data, configuration, and further network escalation.
Wing FTP Server must be immediately updated to version 7.4.4 or later. If immediate patching is not possible, consider disabling anonymous FTP access and restricting access to web interfaces at the firewall level. Patch is available from the vendor at www.wftpserver.com.
Wing FTP Server in all versions before 7.4.4 (affects both Linux and Windows installations).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HWftpserver Wing Ftp Server
APPWftpserver< 7.4.4
CISA KEV — detailsi
- Vendori
- Wing FTP Server
- Producti
- Wing FTP Server
- Added to KEVi
- July 14, 2025
- Remediation deadline (US Federal)i
- August 4, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Wing FTP Server contains an improper neutralization of null byte or NUL character vulnerability that can allow injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default).
Related vulnerabilities
Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session seri...
Wing FTP Server 6.0.7 contains an unquoted service path vulnerability that allows local attackers to potential...
Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows ...
A vulnerability has been found in Wing FTP Server up to 7.4.3 and classified as critical. Affected by this vul...
Wing FTP Server v6.2.3 for Linux, macOS, and Solaris sets insecure permissions on installation directories and...