Cybersecurity Blog | RedLegg

Security Bulletin: Wing FTP Server Remote Code Execution via Null‑Byte/Lua Injection

Written by RedLegg's Cyber Threat Intelligence Team | 7/16/25 5:05 PM

About:

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES

Wing FTP Server Remote Code Execution via Null‑Byte/Lua Injection

 

CVSS Score: 10.0 (Critical)
Identifier: CVE‑2025‑47812
Exploit or POC: Yes – actively exploited in the wild
Update CVE‑2025‑47812 – Wing FTP Server patched in version 7.4.4

Description: CVE‑2025‑47812 is a critical remote code execution vulnerability affecting Wing FTP Server versions prior to 7.4.4. It arises from improper handling of null byte (\0) characters in the loginok.html endpoint. A specially crafted username with a null byte can bypass authentication checks and allow Lua code injection into session files. When these session files are later executed by the server, the injected code runs with system-level privileges, root on Linux or SYSTEM on Windows.

This vulnerability can be exploited by unauthenticated attackers, including those using anonymous login. It has been actively exploited in the wild since July 2025, with attackers observed delivering payloads and executing post-exploitation activities such as deploying remote monitoring and management (RMM) tools.


Mitigation Recommendation:

Upgrade Wing FTP Server to version 7.4.4 or later immediately.
 
Disable anonymous FTP access if not required.
 
Restrict access to the web interface using network segmentation or IP whitelisting.
 
Inspect server logs and session files for suspicious Lua activity or malformed usernames.
 
Monitor for signs of exploitation such as unauthorized tool installation or outbound network connections.
 
 
 
Note: Due to the high severity and confirmed active exploitation, organizations running vulnerable versions should prioritize patching and take immediate action to mitigate potential compromise.

 
View full post