How ZeroPath Works
Back to Blog

Wing FTP Server's NULL Byte Nightmare: Unauthenticated RCE via CVE-2025-47812

An in-depth technical exploration of CVE-2025-47812, a critical NULL byte handling flaw in Wing FTP Server enabling unauthenticated remote code execution.
CVE Analysis

10 min read

ZeroPath Security Research

ZeroPath Security Research

2025-07-10

Wing FTP Server's NULL Byte Nightmare: Unauthenticated RCE via CVE-2025-47812

Wing FTP Server's NULL Byte Nightmare: Unauthenticated RCE via CVE-2025-47812

Introduction

Wing FTP Server, a widely adopted cross-platform file transfer solution, has been hit by a severe vulnerability—CVE-2025-47812. With a CVSS score of 10.0, this flaw allows attackers to execute arbitrary code remotely without authentication, posing a catastrophic risk to organizations worldwide. Given Wing FTP Server's extensive use across enterprises, educational institutions, and government agencies, the potential impact of this vulnerability is immense.

Technical Information

CVE-2025-47812 exploits improper handling of NULL bytes (%00) in the username parameter at the /loginok.html endpoint. Attackers inject a NULL byte and Lua code into the username, resulting in malicious Lua code being written to session files. These session files, stored as executable Lua scripts, are executed when the server processes authenticated endpoints, such as /dir.html. Because Wing FTP Server operates with root or SYSTEM privileges by default, the injected Lua code executes with elevated privileges, enabling full system compromise.

Proof of Concept

The PoC exploit for CVE-2025-47812, available on GitHub, demonstrates automated exploitation via a Python script. It constructs a malicious username containing a NULL byte, sends it to the server, and injects Lua code capable of executing system commands or establishing a reverse shell. This PoC highlights the critical importance of robust input validation in authentication mechanisms.

PoC Source

Patch Information

Wing FTP Server version 7.4.4, released on May 14, 2025, addresses CVE-2025-47812 by implementing stringent input validation and access control mechanisms. The update also mitigates full path disclosure vulnerabilities, enhances user input handling, updates third-party libraries like libssh, and improves the "Wing Download Manager" browser extension.

Patch Source

Detection Methods

Effective detection of CVE-2025-47812 can be achieved using Nuclei, an open-source vulnerability scanner employing YAML-based templates. Nuclei templates specify targeted requests and matchers to identify vulnerabilities accurately. Regular updates and community engagement enhance detection capabilities, allowing security teams to proactively identify and mitigate threats.

Detection Sources

Affected Systems and Versions

  • Wing FTP Server versions ≤7.4.3 (Linux, Windows, macOS)
  • Vulnerable endpoint: /loginok.html
  • Default configurations with anonymous FTP accounts enabled

Vendor Security History

Wing FTP Server has previously faced critical vulnerabilities, including credential leaks and path disclosures. While the vendor promptly addressed CVE-2025-47812, their continued use of high-privilege defaults remains a significant security concern, highlighting a need for improved security practices.

References

Source: This report was created using AI

If you have suggestions for improvement or feedback, please reach out to us at [email protected]

Detect & fix
what others miss

Get startedBook a demo