CVE-2025-47812 - Wing FTP Server Wing FTP Server
AI Vulnerability ContextIn Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonym...
Overview
A source-backed snapshot of this vulnerability.
In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.
Vulnerability status
How serious this vulnerability is and whether it is known to be exploited.
- CVE ID
- CVE-2025-47812
- Vendor/project
- Wing FTP Server
- Product
- Wing FTP Server
- Vulnerability name
- Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability
- Date added
- 2025-07-14
- Due date
- 2025-08-04
- Known ransomware campaign use
- Unknown
- CVSS v3
- 10.0
Exploit context
What the vulnerability is about.
In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.
Source evidence
Original public records and references for this page.
Original source
Original source links
Open the public records and source datasets used for this page.
