A critical zero-day vulnerability has been discovered in Wing FTP Server, a popular file transfer software used by over 10,000 customers worldwide, that allows attackers to gain complete control over affected systems without authentication.
The vulnerability , assigned CVE-2025-47812 with a maximum severity score of 10.0, affects all versions up to 7.4.3 and has been patched in the latest release.
The vulnerability, discovered by security researcher Julien Ahrens from RCE Security, exploits a code injection weakness in the software’s login handling mechanism.
The vulnerability specifically targets the “/loginok.html” endpoint, where improper handling of NULL bytes in the username parameter allows attackers to inject arbitrary Lua code into user session files.
This represents a particularly dangerous attack vector as it requires no authentication and can be executed remotely over the network.
What makes this vulnerability especially severe is the elevated privileges under which Wing FTP Server typically operates.
On Linux systems, the software runs as root, while on Windows installations it operates under the NT AUTHORITY/SYSTEM account.
This means successful exploitation grants attackers the highest level of system access, effectively allowing complete compromise of the underlying server infrastructure.
The attack becomes even more concerning when Wing FTP Server is configured to allow anonymous users, as this essentially provides a direct path to unauthenticated remote code execution.
Wing FTP Server Vulnerability
Wing FTP Server’s cross-platform compatibility amplifies the potential impact of this vulnerability.
The software supports Windows, Linux, and Mac OS environments, and offers multiple file transfer protocols including FTP, FTPS, HTTP, HTTPS, and SFTP.
This broad compatibility means the vulnerability potentially affects diverse IT infrastructures across various operating systems and deployment scenarios.
The software’s popularity in enterprise environments, with over 10,000 customers using it for file transfer services, suggests that the vulnerability could have far-reaching consequences.
Organizations using Wing FTP Server for critical file sharing operations, particularly those with internet-facing deployments, face significant risk of complete system compromise.
The vulnerability’s ease of exploitation, demonstrated through a simple HTTP POST request containing malicious Lua code, makes it accessible to attackers with varying skill levels.
Rapid Response and Remediation
Following responsible disclosure practices, RCE Security reported the vulnerability to the vendor on May 12, 2025, with MITRE assigning the CVE identifier on May 10.
The vendor’s response was notably swift, confirming the issue as critical within the same day and releasing a patched version 7.4.4 just two days later on May 14.
This rapid turnaround demonstrates effective coordination between security researchers and software vendors.
The proof-of-concept exploit involves a carefully crafted POST request to the vulnerable endpoint, injecting Lua code that executes system commands.
Organizations using Wing FTP Server should immediately update to version 7.4.4 to eliminate this critical security risk.
System administrators should also review their server configurations to ensure proper access controls and monitoring are in place, particularly for internet-facing installations.
The discovery and swift remediation of CVE-2025-47812 highlights the ongoing importance of security research and responsible disclosure in protecting critical infrastructure components like file transfer servers.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
