What is the critical vulnerability discovered in Wing FTP Server?

A critical security vulnerability tracked as CVE-2025-47812 with a perfect CVSS score of 10.0 has been reported in Wing FTP Server. The vulnerability allows unauthenticated attackers to achieve complete control over affected systems through NULL byte injection in the username parameter of the /loginok.html endpoint.

Why does this Wing FTP Server vulnerability have a perfect CVSS score of 10.0?

The vulnerability receives a perfect CVSS score of 10.0 because it allows unauthenticated remote attackers to achieve complete system compromise with maximum privileges. The Wing FTP Server runs with root privileges on Linux and NT AUTHORITY/SYSTEM rights on Windows, meaning any injected code executes with the highest possible system privileges.

How does the Wing FTP Server vulnerability work technically?

The vulnerability stems from improper validation of NULL bytes within user input in the username parameter. Attackers can inject arbitrary Lua code into user session files by sending specially crafted POST requests to the /loginok.html endpoint. When these maliciously crafted session files are executed during authenticated operations, they enable complete system compromise through Lua code injection.

What can attackers do once they exploit this Wing FTP Server vulnerability?

Successful exploitation allows attackers to execute arbitrary Lua code with maximum system privileges, resulting in complete takeover of the underlying server infrastructure. This includes full control over the system, ability to access and modify files, install malware, and use the compromised server as a launching point for further attacks.

Why is the Wing FTP Server vulnerability particularly dangerous?

The vulnerability is particularly dangerous because it requires no authentication, can be exploited remotely, and Wing FTP Server operates with maximum privileges by default. On Linux systems, the server runs with root privileges, and on Windows systems it operates under NT AUTHORITY/SYSTEM rights, giving attackers complete system control.

What type of injection attack is used in this Wing FTP Server vulnerability?

The attack uses NULL byte injection combined with Lua code injection. Attackers send specially crafted POST requests with NULL bytes in the username parameter, which allows them to break out of the expected data structure and inject Lua scripting code that gets executed by the server.

How widespread is the potential impact of this Wing FTP Server vulnerability?

Given Wing FTP Server's popularity in enterprise environments, the potential impact affects thousands of organizations worldwide. Both Community Edition and Enterprise Edition deployments across Windows, Linux, and Mac OS platforms are vulnerable until updated to version 7.4.4.

What should organizations do if they cannot immediately update Wing FTP Server?

Organizations that cannot immediately update should consider implementing network-level protections and isolation measures. However, given the vulnerability's maximum CVSS score and potential for complete system compromise, the update should be treated as an emergency security patch and prioritized accordingly.

What endpoint is vulnerable in Wing FTP Server?

The vulnerable endpoint is /loginok.html, specifically in how the server processes the 'username' parameter. The server fails to properly sanitize NULL byte input in this parameter, allowing attackers to inject malicious Lua code that gets executed during authenticated operations.

Does this Wing FTP Server vulnerability require authentication to exploit?

No, this vulnerability allows unauthenticated attackers to achieve complete control over affected systems. Attackers do not need valid credentials or prior access to the FTP server to exploit this vulnerability and gain maximum system privileges.

What scripting language does Wing FTP Server use that makes this vulnerability possible?

Wing FTP Server uses Lua as its embedded scripting language. The vulnerability allows attackers to inject arbitrary Lua code through NULL byte injection, and since the server executes this code with maximum privileges, it results in complete system compromise.

How urgent is it to patch this Wing FTP Server vulnerability?

This should be treated as an emergency security patch requiring immediate attention. The vulnerability has a perfect CVSS score of 10.0, allows unauthenticated remote code execution with maximum privileges, and affects thousands of organizations worldwide. Delaying the update significantly increases the risk of system compromise.

What platforms are affected by this Wing FTP Server vulnerability?

The vulnerability affects Wing FTP Server installations across all supported platforms including Windows, Linux, and Mac OS. Both Community Edition and Enterprise Edition deployments running versions up to and including 7.4.3 are vulnerable regardless of the underlying operating system.

What is the CVE identifier and how can organizations track this Wing FTP Server vulnerability?

The vulnerability is tracked as CVE-2025-47812 and has been assigned the maximum CVSS score of 10.0. Organizations should reference this CVE identifier when tracking the vulnerability in their security management systems and ensure all Wing FTP Server instances are updated to version 7.4.4 or later.

Advisory

Critical vulnerability in Wing FTP Server enables remote code execution, server takeover

published: July 3, 2025

Take action: If you're running Wing FTP Server (any version up to 7.4.3), time to make an URGENT patch, because hackers can easily hijack the entire server. Immediately update to version 7.4.4 or isolate the server from the internet, then plan a quick patch. Patching for this issue is not optional!

Learn More

A critical security vulnerability has been reported in Wing FTP Server that allows unauthenticated attackers to achieve complete control over affected systems.

The flaw is tracked as CVE-2025-47812 (CVSS score 10.0) and is caused by Wing FTP Server's handling of the /loginok.html endpoint, in how the server processes the "username" parameter. The vulnerability stems from improper validation of NULL bytes within user input, which allows attackers to inject arbitrary Lua code into user session files. When these maliciously crafted session files are executed during authenticated operations, they enable complete system compromise.

The attack is executed by sending a specially crafted POST request to the vulnerable endpoint with NULL byte injection in the username parameter. The server fails to properly sanitize this input, allowing attackers to break out of the expected data structure and inject Lua scripting code. Since Wing FTP Server uses Lua as its embedded scripting language, successful injection will result in command execution.

# Basic command execution (Linux/Unix)
curl -X POST "http://target-server.com/loginok.html" \
 -H "Content-Type: application/x-www-form-urlencoded" \
 -d "username=anonymous%00]]%0dlocal+h+%3d+io.popen(\"whoami\")
%0dlocal+r+%3d+h%3aread(\"*a\")%0dh%3aclose()%0dprint(r)%0d--&password=test"

# Windows command execution
curl -X POST "http://target-server.com/loginok.html" \
 -H "Content-Type: application/x-www-form-urlencoded" \
 -d "username=anonymous%00]]%0dlocal+h+%3d+io.popen(\"cmd.exe+/c+dir\")
%0dlocal+r+%3d+h%3aread(\"*a\")%0dh%3aclose()%0dprint(r)%0d--&password=test"

Bt default the Wing FTP Server operates with maximum privileges on the host:

on Linux systems, the server runs with root privileges
on Windows systems it operates under NT AUTHORITY/SYSTEM rights

Any injected code will be executed with highest possible system privileges, causing complete takeover of the underlying server infrastructure.

The vulnerability impacts all Wing FTP Server installations running versions up to and including 7.4.3. This includes both Wing FTP Server Community Edition and Enterprise Edition deployments across all supported platforms including Windows, Linux, and Mac OS. Given Wing FTP Server's popularity in enterprise environments, the potential impact affects thousands of organizations worldwide.

Wing FTP Server released version 7.4.4 to patch the vulnerability. It includes proper input validation and sanitization of the username parameter to prevent NULL byte injection attacks.

All organizations running Wing FTP Server are strongly urged to immediately update to version 7.4.4 or later. The update process should be treated as an emergency security patch given the vulnerability's maximum CVSS score and the potential for complete system compromise. Organizations that cannot immediately update should consider implementing network-level protections and isolation.

Critical vulnerability in Wing FTP Server enables remote code execution, server takeover

Read More
Critical vulnerabilities discovered in Citrix NetScaler ADC and …
Apache InLong project reports critical flaw in its …
Critical authentication bypass flaw in HCL BigFix WebUI …
Another critical RCE flaw reported in n8n automation …
Critical AMI Baseboard management vulnerabilities can brick servers