Secure Cyber Vulnerability Management

03/07/2025
Qualys-Threat-Protect

WingFTP Critical Remote Code Execution Vulnerability (CVE-2025-47812)

by Deepanshu Jha

Julien Ahrens from RCE Security discovered a critical security vulnerability impacting WingFTP. Tracked as CVE-2025-47812, the vulnerability has a CVSS score of 10. Successful exploitation of the vulnerability may allow a remote unauthenticated attacker to execute arbitrary code, leading to complete system compromise.

Wing FTP Server is cross-platform, user-friendly, and secure FTP server software. It supports multiple file transfer protocols, such as FTP, FTPS, HTTP, HTTPS, and SFTP, allowing flexibility for client connections.

Vulnerability Details

The endpoint at /loginok.html improperly handles NULL bytes when processing the username parameter. This allows attackers to inject arbitrary Lua code into user session files

Successful exploitation of the vulnerability can allow an unauthenticated attacker to execute arbitrary commands on the underlying server. Since WingFTP runs as root on Linux and NT AUTHORITY/SYSTEM on Windows, by default.

Exploitation

The c_CheckUser call always returns OK_CHECK_CONNECTION regardless of what comes after the NULL byte in the username, as long as the string before the NULL byte matches an existing user. An attacker may exploit the vulnerability by adding a NULL byte and extra values to a known username to bypass the password check. The system uses strlen()on our username to get the string size, but strlen only counts all the characters until it reaches the NULL-byte terminator to match the unsanitized username.

The unsanitized username (including the injected NULL and brainy payload) is stored directly into session files as Lua code. These session files resemble .lua and are later executed when sessions are loaded. On Linux, Wing FTP server runs as root; on Windows, it runs as SYSTEM. The injected Lua payload runs with full privileges upon session reload.

Affected Versions

The vulnerability affects WingFTP versions before 7.4.4.

Mitigation

Users must upgrade to WingFTP version 7.4.4 to patch the vulnerability.

Please refer to the WingFTP Release Notes for more information.

Qualys Detection

Qualys customers can scan their devices with QID 383441 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://www.wftpserver.com/serverhistory.htm
https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-47812.txt
https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/

Comments are closed.

You may also like