Wing FTP Server RCE Exploit – CVE-2025-47812 PoC
GitHub Repository: https://github.com/4m3rr0r/CVE-2025-47812-poc
Overview
A critical Remote Code Execution (RCE) vulnerability (CVE‑2025‑47812) in Wing FTP Server (versions ≤ 7.4.3) allows unauthenticated attackers to execute arbitrary system commands with root/SYSTEM privileges.
The flaw stems from improper handling of NULL bytes (\0) in the username parameter during login, enabling Lua code injection into session files 0.
Exploit Proof‑of‑Concept
4m3rr0r’s Python PoC sends a malicious username containing %00 followed by Lua payload.
This creates a session file with embedded Lua script that gets executed on accessing authenticated pages (e.g., /dir.html) — resulting in full system compromise 1.
Highlights of the PoC script:
- Supports targeting single URL or batch file of URLs
- Custom command execution (default
whoami)
- Writes vulnerable targets to an output file
- Can specify username (default
anonymous)
- Verbose mode for detailed output
Technical Analysis
- The login handler (
c_CheckUser()) uses strlen() on username, truncating input at NULL and bypassing authentication checks.
- However, session creation uses the full unsanitized username, embedding everything past the
NULL into a Lua script session file 2.
- When session files are loaded (via
SessionModule.load()), the Lua engine executes injected code — triggering RCE 3.
Impact & Severity
- Privilege: root/SYSTEM (default context of Wing FTP Server)
- Severity: CVSS 3.x 10.0/10.0 4
- Exploitation: Confirmed active exploitation in the wild since July 1, 2025 5
- Targets: Linux, Windows, macOS instances with Wing FTP Server ≤ 7.4.3
Detection & Mitigation
✅ Detection
- Monitor logs for truncated usernames or anomalies in session Lua files (
session/*.lua) 6
- Use Nuclei templates (e.g., added by 4m3rr0r) to scan endpoints for vulnerability 7
🛠 Mitigation
- PATCH: Upgrade to Wing FTP Server ≥ 7.4.4 (released May 14, 2025) 8
- Disable anonymous login, if not required
- Harden session file validation and input sanitization
📌 Monitoring
- Track CISA Known Exploited Vulnerabilities (KEV) catalog — deadline to patch: August 4, 2025 9
- Watch threat intelligence from Huntress, SonicWall, Help Net Security for exploit indicators 10
Use Cases
- ✅ Security teams can integrate this PoC into internal pentests to validate exposure
- ✅ Blue teams should search for signs of Lua injection in session files and anomalous login behaviors
- ✅ Incident responders can use forensic analysis of
session/*.lua to assess potential compromise
Conclusion
CVE‑2025‑47812 is a severe RCE bug in Wing FTP Server, allowing total server compromise with minimal effort. The availability of a simple PoC — combined with confirmed active exploitation — makes this a critical issue for any organization running impacted versions.
Immediate Action Recommended:
- Patch to version 7.4.4 or later
- Audit logs and session files for signs of abuse
- Continue monitoring threat alerts and threat intelligence
Stay safe, stay patched.
Support Crack-Vault and help us keep providing free tools. Every donation counts!
(BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn
