CVE-2025-47812

What is Wing FTP Server?

Wing FTP Server is a cross-platform (Windows, Linux, macOS) enterprise FTP/FTPS/SFTP/HTTP/HTTPS file transfer server. It is used by organizations for managed file transfer, typically handling sensitive business documents, financial data, and internal file sharing. Wing FTP Server uses Lua as its scripting and session management engine, enabling customizable server-side logic. Because Wing FTP typically runs as a privileged service (SYSTEM on Windows, root on Linux/macOS) and is internet-facing by design, a pre-authentication RCE vulnerability gives an attacker full system-level access.

Overview

CVE-2025-47812 is a maximum-severity null byte injection vulnerability (CWE-158, CVSS 10.0) in Wing FTP Server's authentication and session handling. The c_CheckUser() function uses strlen() to measure usernames, which truncates at embedded null bytes (%00). Content after the null byte is injected into a Lua session file on the server. Since Wing FTP executes Lua session files with SYSTEM/root privileges, the attacker achieves arbitrary code execution with the highest available privileges — no authentication required. Wing FTP silently patched the issue in version 7.4.4 (May 2025); exploitation began within 24 hours of public disclosure on June 30, 2025.

Affected Versions

Technical Details

The vulnerability (CWE-158: Improper Neutralization of Null Byte or NUL Character) is in Wing FTP Server's c_CheckUser() authentication function. The function measures the length of the submitted username using C's strlen(), which stops counting at the first null byte (\0). A username string like admin%00<lua_payload> is treated by strlen() as having only the length of admin — so admin is what is validated against the user database. The content after the null byte (<lua_payload>) is, however, fully written into the user's session object file on disk.

Wing FTP Server's Lua scripting engine subsequently processes this session file, interpreting the injected content as Lua code. Since Wing FTP typically runs as SYSTEM (Windows) or root (Linux/macOS), the injected Lua code executes with full system privileges.

This effectively bypasses authentication: the null-terminated prefix can be any valid username (or even a blank string in some versions), while the injected payload after the null byte achieves arbitrary RCE. CVSS 10.0 with Scope:Changed reflects the full OS-level impact from an unauthenticated network attacker.

Discovery

Discovered by security researcher Julien Ahrens, who published a full technical write-up on June 30, 2025.

Exploitation Context

Huntress observed active exploitation beginning July 1, 2025 — just one day after Ahrens' public disclosure. On that first day, at least five distinct attacker IP addresses targeted a single Huntress-monitored customer, indicating rapid, simultaneous exploitation by multiple actors. Observed post-exploitation activity:

• Reconnaissance commands: ipconfig, whoami, arp
• Creation of backdoor user accounts: wing and wingftp
• Attempted deployment of ScreenConnect (legitimate remote management software) as a persistence mechanism
• Download of remote batch scripts
• Malware beacon detection: Trojan:Win32/Ceprolad.A (detected by Microsoft Defender)

The attack pattern suggests less-sophisticated opportunistic actors rapidly weaponizing newly available exploit code, rather than a targeted nation-state operation. CISA added CVE-2025-47812 to the KEV catalog on 14 July 2025, four days after CVE publication.

Remediation

1. Upgrade Wing FTP Server to version 7.4.4 or later immediately — download from https://www.wftpserver.com/download.htm. The patch was available since May 14, 2025.
2. Check for backdoor accounts: review all Wing FTP user accounts and OS-level accounts for unexpected entries — particularly accounts named wing, wingftp, or any unfamiliar names added after the server's initial setup.
3. Check for ScreenConnect or remote management tools: audit running processes and installed software for unauthorized remote access tools that may have been installed post-exploitation.
4. Review Wing FTP session files for anomalous Lua code embedded in session objects — unexpected content in session files is a direct indicator of this exploit's use.
5. Restrict FTP/FTPS/SFTP access to known client IP ranges where possible; if internet-facing access is required, enforce strong client authentication.
6. Monitor for the Trojan:Win32/Ceprolad.A malware family on the FTP server host and related internal systems.