CVEFinder.io

CVE-2025-47812

⛔ critical
🔍 Scan for this CVE
Summary

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

CVSS Score
10.0
Critical
EPSS Score
92.5
Exploit Probability
Published Date
2025-07-10
First Seen: 2026-01-05
📊 Relative Risk Intelligence

This CVE is Extremely High Risk - more severe than 100.0% of all 326,604 vulnerabilities in our database.

#1
Top 5% most severe
Severity Percentile
đŸŽ¯ CISA SSVC Assessment Updated: Jul 17, 2025
🔍 Exploitation Status
Active
Exploits detected in the wild
⚙ī¸ Automatable
YES
Can be exploited automatically
đŸ’Ĩ Technical Impact
Total
Complete system compromise possible
SSVC data provided by CISA
Last Modified 2025-11-05
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-158

đŸ“Ļ Affected Products 1

Vendor Product Status Affected Versions
wftpserver wing_ftp_server Affected
< 7.4.4

đŸ’Ŗ Public Exploits 1 PRO

Loading exploit information...

🔗 References 6

https://www.rcesecurity.com/2025/06/what-the-null-wi...
Exploit Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-4781...
Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-4781...
Mitigation Third Party Advisory
https://www.wftpserver.com
Product
https://www.cisa.gov/known-exploited-vulnerabilities...
US Government Resource
https://www.huntress.com/blog/wing-ftp-server-remote...
Exploit Third Party Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-44403 ⚠ī¸ high 7.2 0.1 Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization ... 2026-05-12
CVE-2020-37079 đŸ”ļ medium 4.3 0.0 Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery (CSRF) vulnerability in the web administrat... 2026-02-07
CVE-2019-25267 ⚠ī¸ high 7.8 0.0 Wing FTP Server 6.0.7 contains an unquoted service path vulnerability that allows local attackers to potentially execute... 2026-02-05
CVE-2020-37032 ⚠ī¸ high 8.8 0.4 Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authentica... 2026-01-30
CVE-2025-27889 ℹī¸ low 3.4 0.0 Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint... 2025-07-10
CVE-2025-47811 đŸ”ļ medium 4.1 0.1 In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or S... 2025-07-10
These CVEs affect the same products