How to fix CVE-2025-47812?

Within 24 hours: Isolate all Wing FTP Server instances from internet access and disable anonymous FTP if enabled; verify no breach has occurred by reviewing access logs for suspicious activity. Within 7 days: Migrate to alternative FTP solutions or contact Wing support for emergency patching options; conduct forensic analysis of all affected servers for indicators of compromise. Within 30 days: Complete migration away from Wing FTP Server or implement full replacement; deploy network intrusion detection signatures for CVE-2025-47812 exploitation attempts across your environment.

Is Ftp affected by CVE-2025-47812?

Wing FTP Server installations are subject to immediate remote code execution attacks that grant attackers complete system control without requiring authentication.

CVE-2025-47812

EUVD-2025-21009 CRITICAL

2025-07-10 [email protected]

10.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 16, 2026 - 06:52 euvd

EUVD-2025-21009

Analysis Generated

Mar 16, 2026 - 06:52 vuln.today

Added to CISA KEV

Nov 05, 2025 - 19:26 cisa

CISA KEV

PoC Detected

Nov 05, 2025 - 19:26 vuln.today

Public exploit code

CVE Published

Jul 10, 2025 - 17:15 nvd

CRITICAL 10.0

Description

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

Analysis

Wing FTP Server before 7.4.4 contains a critical remote code execution vulnerability (CVE-2025-47812, CVSS 10.0) through null byte injection in user/admin web interfaces that enables arbitrary Lua code execution in session files. With EPSS 92.7% and KEV listing, this vulnerability guarantees unauthenticated root/SYSTEM code execution on affected servers, as the FTP service runs with maximum privileges by default.

Technical Context

Wing FTP Server uses Lua for its scripting engine and stores session data in Lua-format files. The web interfaces fail to reject or properly handle null bytes ('\0') in input, allowing attackers to truncate strings and inject arbitrary Lua code into session files. When the FTP server loads these session files, the Lua interpreter executes the injected code. Since Wing FTP typically runs as root (Linux) or SYSTEM (Windows), this provides maximum-privilege code execution.

Affected Products

['Wing FTP Server before 7.4.4']

Remediation

Upgrade Wing FTP Server to 7.4.4+ immediately. If unable to upgrade, restrict web interface access to trusted IPs. Do NOT run Wing FTP as root/SYSTEM if possible. Audit FTP server for unauthorized access and file modifications.

Priority Score

213

Low Medium High Critical

KEV: +50

EPSS: +92.7

CVSS: +50

POC: +20

CVE-2025-47812 vulnerability details – vuln.today

Back

CVE-2025-47812

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-47812

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code