CVE-2025-47812
Published: 10 July 2025
Summary
CVE-2025-47812 is a critical-severity Improper Neutralization of Null Byte or NUL Character (CWE-158) vulnerability in Wftpserver Wing Ftp Server. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-47812 affects Wing FTP Server versions prior to 7.4.4. The user and admin web interfaces fail to properly handle null bytes, permitting injection of arbitrary Lua code into user session files. Successful exploitation yields remote code execution that runs with the privileges of the FTP service, which defaults to root on Unix-like systems or SYSTEM on Windows, enabling full server compromise.
The flaw is remotely exploitable over the network without authentication or user interaction, including through anonymous FTP accounts. An attacker can therefore achieve arbitrary system command execution and total control of the affected server.
Public references include a detailed technical analysis at rcesecurity.com, detection and mitigation scripts published by vicarius, the vendor site at wftpserver.com, and an entry in the CISA Known Exploited Vulnerabilities catalog confirming active exploitation in the wild. Upgrading to version 7.4.4 or later is the primary remediation path referenced.
The EPSS score has remained consistently high, with a current value of 0.9293 and a peak of 0.9311.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21009
Vulnerability details
In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the…
more
FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.
- CWE(s)
- KEV Date Added
- 14 July 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE on public-facing FTP/web interface via Lua code injection into session files, enabling arbitrary command execution as root/SYSTEM.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the specific flaw in Wing FTP Server by patching to version 7.4.4 or later, directly eliminating the null byte mishandling leading to RCE.
Enforces validation of information inputs to web and FTP interfaces, preventing injection of arbitrary Lua code via mishandled '\0' bytes.
Limits the impact of successful RCE by ensuring the FTP service runs with least privilege instead of root or SYSTEM.