CVSS 10 RCE in Wing FTP Server (CVE-2025-47812) Allows Full Server Takeover, PoC Releases

A critical remote code execution (RCE) vulnerability has been discovered in Wing FTP Server, a popular cross-platform file transfer solution, allowing unauthenticated attackers to fully compromise servers running the software. The flaw, identified as CVE-2025-47812, has received a CVSS v4 score of 10.0, the highest possible rating, signaling maximum severity and impact.

“Successful exploits can allow an unauthenticated attacker to execute arbitrary commands on the underlying server,” the advisory from Julien Ahrens of RCE Security warns.

The vulnerability lies in the way Wing FTP Server handles the username parameter on the /loginok.html endpoint. Improper validation allows NULL byte injection, which then permits attackers to inject arbitrary Lua code into user session files.

Lua is the embedded scripting language in Wing FTP, and once manipulated, it provides a powerful foothold for command execution.

“This essentially means the total compromise of the underlying server,” the report explains, adding that Wing FTP typically runs with root (Linux) or SYSTEM (Windows) privileges, making exploitation particularly dangerous.

Even worse, if the server is configured to allow anonymous users, the attack becomes fully unauthenticated, allowing anyone on the internet to gain shell-level access without credentials.

Ahrens provided a detailed proof-of-concept (PoC) that uses a simple HTTP POST request to trigger the bug. Here’s a glimpse of the payload:

POST /loginok.html HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
Content-Length: 121

username=anonymous%00]]%0dlocal+h+%3d+io.popen("id")%0dlocal+r+%3d+h%3aread("*a")%0dh%3aclose()%0dprint(r)%0d--&password=correct

This snippet runs the id command on the target server, demonstrating that arbitrary system commands can be executed directly from the web interface.

For those seeking weaponized exploitation, security researcher Chocapikk has published a Metasploit module, drastically lowering the barrier to exploit for attackers.

Wing FTP Server is widely used for secure and flexible file transfers across corporate networks and remote clients. A CVSS 10.0 RCE in such infrastructure software represents a critical risk, especially in environments where:

• The server is publicly exposed to the internet.
• Anonymous or guest accounts are enabled.
• The application runs with elevated privileges.

If you’re running Wing FTP Server on Windows, Linux, or macOS, your server is vulnerable unless you upgrade to version 7.4.4, the fixed release. No workarounds are suggested—only an update will eliminate the risk.

Related Posts:

• CVE-2024-27102 (CVSS 9.9) Vulnerability Threatens Pterodactyl Game Servers
• Cisco releases the security updates to fix RCE flaws in multiple products
• 1.5 billion sensitive files exposed due to FTP, SMB, rsync and S3 bucket misconfiguration
• DanaBot Bank Trojan Targets Bank Customers through Phishing Scam
• DarkCloud Stealer Returns: AutoIt-Powered Malware Strikes with New Stealth Tactics