External risk intelligence

Wing FTP Server Remote Code Execution Vulnerability

CVE advisoryKnown Exploit

CVE-2025-47812

Wing FTP Server versions prior to 7.4.4 have a vulnerability allowing arbitrary system command execution with elevated privileges, potentially leading to full server compromise. This risk impacts organizations relying on this service for file transfer operations.

5Halo Surface Signal

Remote Code Execution

Wftpserver Wing Ftp Server

before 7.4.4

External exposure likelihood

Halo Surface Signal score for CVE-2025-47812

The product is a file transfer server designed to be internet-facing for remote file access and management. As a public-facing service that often includes web-based administration and user interfaces accessible over the network, it is a primary edge-facing asset.

Horizon Alert

Summary of the vulnerability and why it matters

Wing FTP Server versions prior to 7.4.4 contain a vulnerability that allows for the injection of arbitrary Lua code. This flaw can lead to the execution of system commands with the elevated privileges of the FTP service. The vulnerability is exploitable through both user and administrative interfaces, and even via anonymous FTP accounts. This could result in a complete compromise of the server.

Wing FTP Server web interfaces
Null byte handling allows code injection
Complete server compromise possible

Attack Path

How an attacker could exploit the issue

Wing FTP Server versions prior to 7.4.4 contain a vulnerability in the user and admin web interfaces. This vulnerability allows for the injection of arbitrary Lua code into user session files, which can lead to the execution of system commands with the privileges of the FTP service. This vulnerability is exploitable even by anonymous FTP accounts, potentially resulting in a total server compromise.

Exposure through web interfaces.
Attacker injects malicious code.
Arbitrary code execution achieved.

Live Threat

Current exploitation, exposure, and threat context

A vulnerability in Wing FTP Server allows for remote code execution by injecting arbitrary Lua code. This can lead to the execution of system commands with elevated privileges, potentially resulting in a complete server compromise. The vulnerability is exploitable even through anonymous FTP accounts.

Likely attacker skill level: Low
Required access or conditions: Anonymous access
Business risk or urgency: Critical

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows for arbitrary code execution by exploiting how the Wing FTP Server handles null bytes in its user and admin interfaces. Attackers can inject Lua code into session files, leading to the execution of system commands with elevated privileges. This could result in a complete server compromise, even through anonymous FTP accounts.

Identify all Wing FTP Server instances.
Isolate affected servers from the network.
Apply vendor updates and verify.
Monitor for related suspicious activity.

Frequently asked questions

What is Wing FTP Server and what is it used for?

Wing FTP Server is a file transfer server that provides both user and administrator web interfaces for managing files remotely. It allows for FTP, FTPS, and other file transfer protocols, often serving as a way for users and administrators to access and manage files over a network or the internet.

What is the vulnerability in Wing FTP Server (CVE-2025-47812)?

CVE-2025-47812 is a remote code execution vulnerability in Wing FTP Server. It stems from the improper handling of null byte characters ('\0') in the web interfaces, which allows attackers to inject arbitrary Lua code. This injected code can then be used to run system commands with the same privileges as the FTP service, potentially leading to a full server takeover.

How can an attacker exploit this Wing FTP Server vulnerability?

An attacker can exploit this vulnerability by sending specially crafted input to the user or admin web interfaces of Wing FTP Server that includes null bytes. This allows them to inject Lua code into user session files. Notably, this vulnerability can be exploited even by anonymous FTP accounts, meaning no authentication is required for exploitation.

Who should be concerned about this Wing FTP Server vulnerability?

Organizations running Wing FTP Server should be concerned, especially if their servers are internet-facing. The Halo Surface Signal indicates this product is 'Very likely' to be an edge-facing asset because it functions as a public-facing service for remote file access and management.

What are the first steps to address this CVE-2025-47812 threat?

The immediate first step is to identify all instances of Wing FTP Server within your environment. If possible, apply updates from the vendor to version 7.4.4 or later. If immediate patching isn't feasible, consider isolating affected servers from the network or monitoring them closely for suspicious activity.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.