CVE-2025-47812
Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability - [Actively Exploited]
Description
In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.
INFO
Published Date :
July 10, 2025, 5:15 p.m.
Last Modified :
July 15, 2025, 2:43 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Wing FTP Server contains an improper neutralization of null byte or NUL character vulnerability that can allow injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default).
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
https://www.wftpserver.com/serverhistory.htm ; https://nvd.nist.gov/vuln/detail/CVE-2025-47812
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] |
Public PoC/Exploit Available at Github
CVE-2025-47812 has a 17 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-47812.
| URL | Resource |
|---|---|
| https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/ | Exploit Third Party Advisory |
| https://www.wftpserver.com | Broken Link |
| https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild | Exploit Third Party Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-47812 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-47812
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
Python
None
CVE-2025-47812
Python
None
Python
Detection for CVE-2025-47812
ftp kev vulnerability wingftp
Exploit for CVE-2025-47812 with custom psudo shell and robust error handling.
Python
Remote Command Execution exploit for Wing FTP Server (CVE-2025-47812)
Python
Wing FTP Server RCE via Lua Injection
Python
Simple exploit for Wing FTP Server RCE (CVE-2025-47812) to run commands and get a reverse shell. For educational use only.
Python
Wing FTP Server Remote Code Execution (RCE) Exploit (CVE-2025-47812)
Python
DamnVulnerableInfrastructure
Shell Dockerfile Makefile Lua CSS HTML JavaScript Smalltalk Python Java
Links of research blogs published by me.
None
HTML Python Shell
CISA Bot is a GitHub bot that automatically monitors the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog. When new vulnerabilities are published in the KEV, the bot creates GitHub issues in this repository with detailed information about each vulnerability.
Python
None
Shell Ruby HTML JavaScript SCSS Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-47812 vulnerability anywhere in the article.
-
Help Net Security
Critical CrushFTP vulnerability exploited. Have you been targeted? (CVE-2025-54309)
Unknown attackers have exploited a vulnerability (CVE-2025‑54309) in the CrushFTP enterprise file-transfer server solution to gain administrative access to vulnerable deployments. It’s currently uncle ... Read more
-
CybersecurityNews
PoC Exploit Released for High-Severity Git CLI Arbitrary File Write Vulnerability
A critical vulnerability in Git CLI enables arbitrary file writes on Linux and macOS systems, with working proof-of-concept exploits now publicly available. CVE-2025-48384, assigned a CVSS severity sc ... Read more
-
CybersecurityNews
CISA Warns of Wing FTP Server Vulnerability Actively Exploited in Attacks
CISA has issued an urgent warning about a critical vulnerability in Wing FTP Server that is being actively exploited by cybercriminals. The vulnerability, tracked as CVE-2025-47812, poses significant ... Read more
-
Daily CyberSecurity
ImageMagick Flaw (CVE-2025-53101): Stack Buffer Overflow Allows Potential Remote Code Execution
A flaw has been discovered in ImageMagick, the widely used open-source image manipulation suite, that could lead to stack buffer overflows under specific conditions involving image filename templates. ... Read more
-
CybersecurityNews
Wing FTP Server Vulnerability Actively Exploited – 2000+ Servers Exposed Online
Security researchers have confirmed active exploitation of a critical vulnerability in Wing FTP Server, just one day after technical details were publicly disclosed. The flaw, tracked as CVE-2025-4781 ... Read more
-
BleepingComputer
Hackers are exploiting critical RCE flaw in Wing FTP Server
Hackers have started to exploit a critical remote code execution vulnerability in Wing FTP Server just one day after technical details on the flaw became public. The observed attack ran multiple enume ... Read more
-
The Register
CVSS 10 RCE in Wing FTP exploited within 24 hours, security researchers warn
Huntress security researchers observed exploitation of the CVSS 10.0 remote code execution (RCE) flaw in Wing FTP Server on July 1, just one day after its public disclosure. Wing FTP Server is a cross ... Read more
-
The Hacker News
Critical Wing FTP Server Vulnerability (CVE-2025-47812) Actively Being Exploited in the Wild
Jul 11, 2025Ravie LakshmananCyber Attack / Vulnerability A recently disclosed maximum-severity security flaw impacting the Wing FTP Server has come under active exploitation in the wild, according t ... Read more
-
security.nl
Kritieke kwetsbaarheid in Wing FTP Server actief misbruikt bij aanvallen
Een kritieke kwetsbaarheid in Wing FTP Server wordt actief misbruikt bij aanvallen en laat aanvallers kwetsbare servers volledig overnemen. Dat laat securitybedrijf Huntress weten. Een update voor de ... Read more
-
security.nl
Kritieke kwetsbaarheid in Wing FTP Server actief misbruikt bij aanvallen
Een kritieke kwetsbaarheid in Wing FTP Server wordt actief misbruikt bij aanvallen en laat aanvallers kwetsbare servers volledig overnemen. Dat laat securitybedrijf Huntress weten. Een update voor de ... Read more
-
huntress.com
Wing FTP Server Remote Code Execution (CVE-2025-47812) Exploited in the Wild
Summary TL;DR: Huntress saw active exploitation of Wing FTP Server remote code execution (CVE-2025-47812) on a customer on July 1, 2025. Organizations running Wing FTP Server should update to the fixe ... Read more
The following table lists the changes that have been made to the
CVE-2025-47812 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Jul. 15, 2025
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:wftpserver:wing_ftp_server:*:*:*:*:*:*:*:* versions up to (excluding) 7.4.4 Added Reference Type CISA-ADP: https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild Types: Exploit, Third Party Advisory Added Reference Type MITRE: https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/ Types: Exploit, Third Party Advisory Added Reference Type MITRE: https://www.wftpserver.com Types: Broken Link -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Jul. 15, 2025
Action Type Old Value New Value Added Date Added 2025-07-14 Added Due Date 2025-08-04 Added Required Action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Added Vulnerability Name Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jul. 14, 2025
Action Type Old Value New Value Added Reference https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild -
New CVE Received by [email protected]
Jul. 10, 2025
Action Type Old Value New Value Added Description In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Added CWE CWE-158 Added Reference https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/ Added Reference https://www.wftpserver.com