A critical null-byte injection vulnerability in Wing FTP Server has been discovered that allows attackers to gain complete root access to affected systems, potentially compromising thousands of file transfer servers globally.
The flaw, tracked as CVE-2025-47812 with a maximum CVSS score of 10.0, affects all versions up to 7.4.3 and can be exploited without authentication when anonymous access is enabled.
Security researcher Julien Ahrens from RCE Security uncovered the vulnerability during a penetration test, demonstrating how a simple null byte (%00) injection in the username parameter completely bypasses authentication checks. The attack exploits a fundamental flaw in how Wing FTP's C++ authentication code processes strings differently than its Lua session management system.
"What makes this particularly dangerous is that it's exploitable through anonymous connections, which are commonly enabled on FTP servers for public file sharing," explains the technical breakdown.
The vulnerability occurs because Wing FTP's C++ authentication function uses strlen() to process usernames, stopping at the null byte, while the Lua code that creates session files processes the entire string including malicious code after the null byte.
Here's how the attack works:
An attacker sends a crafted username like "anonymous%00]]%0dlocal+h+%3d+io.popen('id')%0d" which passes authentication as the legitimate "anonymous" user but injects Lua code into the session file. When the attacker accesses any authenticated page, the malicious Lua code executes with full system privileges.
The impact extends far beyond typical web vulnerabilities because Wing FTP runs with maximum system privileges by default - root on Linux and NT AUTHORITY/SYSTEM on Windows. This design choice, which the vendor considers intentional despite security concerns (CVE-2025-47811), transforms what could be a limited compromise into complete system takeover.
RCE Security discovered four vulnerabilities in Wing FTP Server, including path disclosure flaws and password theft mechanisms, highlighting systemic security weaknesses in the platform.
- CVE-2025-27889 (Link injection allowing password theft)
- CVE-2025-47811 (Overly permissive service permissions)
- CVE-2025-47812 (The critical null-byte injection RCE)
- CVE-2025-47813 (Path disclosure through overlong UID cookie)
A separate vulnerability research effort uncovered direct command execution flaws through Wing FTP's administrative Lua console (CVE-2025-5196). This attack vector allows authenticated administrators to execute arbitrary system commands using functions like os.execute(), effectively turning legitimate administrative features into attack tools.
The vulnerability becomes particularly dangerous because Wing FTP runs with root privileges on Linux and SYSTEM rights on Windows by default.
Organizations running Wing FTP Server should immediately upgrade to version 7.4.4, which addresses the critical null-byte injection. System administrators should also consider running the service with reduced privileges rather than root/SYSTEM accounts, though the vendor has indicated this configuration change remains optional.
The discovery underscores the ongoing risks posed by privilege escalation vulnerabilities in network-facing services, particularly those handling file transfers in enterprise environments.