Cyber Resilience

CVE-2025-47812

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 10 July 2025

Published
10 July 2025
Modified
05 November 2025
KEV Added
14 July 2025
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9293 99.8th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-47812 is a critical-severity Improper Neutralization of Null Byte or NUL Character (CWE-158) vulnerability in Wftpserver Wing Ftp Server. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-47812 affects Wing FTP Server versions prior to 7.4.4. The user and admin web interfaces fail to properly handle null bytes, permitting injection of arbitrary Lua code into user session files. Successful exploitation yields remote code execution that runs with the privileges of the FTP service, which defaults to root on Unix-like systems or SYSTEM on Windows, enabling full server compromise.

The flaw is remotely exploitable over the network without authentication or user interaction, including through anonymous FTP accounts. An attacker can therefore achieve arbitrary system command execution and total control of the affected server.

Public references include a detailed technical analysis at rcesecurity.com, detection and mitigation scripts published by vicarius, the vendor site at wftpserver.com, and an entry in the CISA Known Exploited Vulnerabilities catalog confirming active exploitation in the wild. Upgrading to version 7.4.4 or later is the primary remediation path referenced.

The EPSS score has remained consistently high, with a current value of 0.9293 and a peak of 0.9311.

EU & UK References

Vulnerability details

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the…

more

FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

CWE(s)
KEV Date Added
14 July 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.011 Lua Execution
Adversaries may abuse Lua commands and scripts for execution.
Why these techniques?

Direct unauthenticated RCE on public-facing FTP/web interface via Lua code injection into session files, enabling arbitrary command execution as root/SYSTEM.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-47813Same product: Wftpserver Wing Ftp Serverboth on KEV
CVE-2026-44403Same product: Wftpserver Wing Ftp Server
CVE-2025-27889Same product: Wftpserver Wing Ftp Server
CVE-2020-37032Same product: Wftpserver Wing Ftp Server
CVE-2019-25267Same product: Wftpserver Wing Ftp Server
CVE-2025-14388Shared CWE-158
CVE-2025-1936Shared CWE-158
CVE-2026-33191Shared CWE-158

Affected Assets

wftpserver
wing ftp server
≤ 7.4.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the specific flaw in Wing FTP Server by patching to version 7.4.4 or later, directly eliminating the null byte mishandling leading to RCE.

prevent

Enforces validation of information inputs to web and FTP interfaces, preventing injection of arbitrary Lua code via mishandled '\0' bytes.

prevent

Limits the impact of successful RCE by ensuring the FTP service runs with least privilege instead of root or SYSTEM.

References