In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.
🚨 Marked as known exploited on July 11th, 2025 (about 2 hours ago).
CVE ID: CVE-2025-47812
CVSS Base Severity: CRITICAL
CVSS Base Score: 10.0
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Vendor: wftpserver
Product: Wing FTP Server
http/cves/2025/CVE-2025-47812.yaml
SSVC Exploitation: none
SSVC Technical Impact: total
SSVC Automatable: true