CVE-2025-47812 Scanner

Wing FTP Server is an efficient and secure FTP server solution used by a variety of organizations for transferring files over networks. It provides features such as web-based interface management, encrypted file transfers, and event management. Typically used by IT administrators and professionals, Wing FTP Server can support multiple file transfer protocols like FTP, HTTP, and SFTP. It is favored in sectors where secure and reliable file transfers are essential, such as finance, healthcare, and tech industries. Wing FTP Server's ease of use and robust feature set make it a popular choice for businesses wanting to manage their data transfers securely.

This vulnerability involves a Remote Code Execution (RCE) flaw in Wing FTP Server, specifically affecting versions up to 7.4.3. The vulnerability arises due to improper handling of NULL bytes in the 'username' parameter during login. This improper handling allows for Lua code injection within session files. These injected session files can subsequently be executed when interacting with authenticated endpoints, allowing arbitrary command execution. The vulnerability is critical as it allows for execution with elevated privileges, compromising the server's integrity.

The RCE vulnerability in Wing FTP Server exploits the login process by injecting malicious Lua scripts. The vulnerability uses improper NULL byte handling to insert scripts into session files, which are later executed. Attackers take advantage of endpoints like /dir.html to trigger these malicious scripts. The inappropriate handling during login results in unauthorized commands running with elevated server permissions. These exploits are possible particularly when anonymous login is enabled in the server settings. The technical basis of this vulnerability requires careful consideration of both username parameter handling and session file security.

Exploiting this vulnerability can have severe consequences, including unauthorized access to sensitive data and potential control over the server. Attackers could potentially execute any command on the server, leading to data theft or service disruption. Additionally, the compromised server could be used as a launch pad for further attacks within the organization. The elevated privileges mean attackers can have a significant impact, potentially altering, deleting, or injecting harmful data. The critical nature of this vulnerability highlights the necessity for immediate remediation to maintain server integrity and security.

REFERENCES

• https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/
• https://github.com/4m3rr0r/CVE-2025-47812-poc