CVE-2025-47812

CriticalCISA KEVActive ExploitationPublic PoC

Published: 10 July 2025

Published

10 July 2025

Modified

05 November 2025

KEV Added

14 July 2025

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.9284 99.8th percentile

Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-47812 is a critical-severity Improper Neutralization of Null Byte or NUL Character (CWE-158) vulnerability in Wftpserver Wing Ftp Server. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the specific flaw in Wing FTP Server by patching to version 7.4.4 or later, directly eliminating the null byte mishandling leading to RCE.

SI-10 Information Input Validation good match

prevent

Enforces validation of information inputs to web and FTP interfaces, preventing injection of arbitrary Lua code via mishandled '\0' bytes.

AC-6 Least Privilege partial match

prevent

Limits the impact of successful RCE by ensuring the FTP service runs with least privilege instead of root or SYSTEM.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.011 Lua Execution

Adversaries may abuse Lua commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Direct unauthenticated RCE on public-facing FTP/web interface via Lua code injection into session files, enabling arbitrary command execution as root/SYSTEM.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the…

FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

Deeper analysisAI

CVE-2025-47812 is a remote code execution vulnerability affecting Wing FTP Server versions before 7.4.4. The user and admin web interfaces mishandle null bytes ('\0'), enabling attackers to inject arbitrary Lua code into user session files. This flaw, tied to CWE-158 (Unicode Encoding Error), allows execution of arbitrary system commands with the privileges of the FTP service, which runs as root or SYSTEM by default, guaranteeing total server compromise.

Attackers require no authentication and can exploit the vulnerability remotely over the network with low complexity, as reflected in its perfect CVSS v3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Exploitation is possible even via anonymous FTP accounts, allowing unauthenticated remote actors to achieve full control, including data theft, modification, or deletion, and potential lateral movement within the environment.

Vendor advisories on wftpserver.com recommend upgrading to version 7.4.4 or later to mitigate the issue. Vicarius provides detection and mitigation scripts for identifying vulnerable installations and applying workarounds. The vulnerability appears in CISA's Known Exploited Vulnerabilities Catalog, underscoring the need for immediate patching.

Its presence in CISA's KEV catalog indicates real-world exploitation is occurring or imminent, urging security practitioners to prioritize scanning and remediation for exposed Wing FTP Server instances.

Details

CWE(s): CWE-158
KEV Date Added: 14 July 2025

Affected Products

wftpserver

wing ftp server

≤ 7.4.4

CVEs Like This One

CVE-2025-47813Same product: Wftpserver Wing Ftp Serverboth on KEV

CVE-2025-27889Same product: Wftpserver Wing Ftp Server

CVE-2020-37032Same product: Wftpserver Wing Ftp Server

CVE-2019-25267Same product: Wftpserver Wing Ftp Server

CVE-2025-14388Shared CWE-158

CVE-2025-1936Shared CWE-158

CVE-2026-33191Shared CWE-158

References

https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/
Exploit, Third Party Advisory · cve@mitre.org
https://www.vicarius.io/vsociety/posts/cve-2025-47812-detection-script-remote-code-execution-vulnerability-in-wing-ftp-server
Third Party Advisory · cve@mitre.org
https://www.vicarius.io/vsociety/posts/cve-2025-47812-mitigation-script-remote-code-execution-vulnerability-in-wing-ftp-server
Mitigation, Third Party Advisory · cve@mitre.org
https://www.wftpserver.com
Product · cve@mitre.org
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-47812
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0