CVE-2025-47812
CVSS Score
10.0
EPSS Score
0.0%
EPSS Percentile
0th
In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.
| CWE | CWE-158 |
| Vendor | wftpserver |
| Product | wing ftp server |
| Published | Jul 10, 2025 |
| Last Updated | Feb 26, 2026 |
โ ๏ธ Actively Exploited โ Act Now
Get instant alerts for wftpserver wing ftp server
This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2025-47812.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
wftpserver / Wing FTP Server
0 < 7.4.4
References
wftpserver.com: https://www.wftpserver.com rcesecurity.com: https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/ vicarius.io: https://www.vicarius.io/vsociety/posts/cve-2025-47812-mitigation-script-remote-code-execution-vulnerability-in-wing-ftp-server vicarius.io: https://www.vicarius.io/vsociety/posts/cve-2025-47812-detection-script-remote-code-execution-vulnerability-in-wing-ftp-server huntress.com: https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-47812