Description

Wing FTP Server is vulnerable to an unauthenticated remote code execution (RCE) due to improper handling of NULL bytes in the 'username' parameter during the login process. An attacker can inject Lua code into session files and execute it on the server.

Remediation

Upgrade to the latest version of Wing FTP

References

Technical Analysis by RCE Security

CVE-2025-47812

Related Vulnerabilities

SharePoint Improper Privilege Management Vulnerability (CVE-2021-1712)

MySQL CVE-2023-22026 Vulnerability (CVE-2023-22026)

Internet Information Services Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-4078)

Oracle JRE Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2024-21147)

PHP Interpretation Conflict Vulnerability (CVE-2025-1217)

Severity

Critical

Classification

CVE-2025-47812 CWE-158 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Tags

Code Execution Authentication Bypass Known Vulnerabilities