Researchers at RCE Security have identified a severe security flaw affecting WingFTP, a popular cross-platform FTP server software. This vulnerability, designated as CVE-2025-47812, has been assigned a maximum CVSS score of 10, indicating its high severity. Successful exploitation could allow remote attackers to execute arbitrary code on affected systems, potentially leading to full system compromise.
WingFTP Server is widely used for secure file transfer across various platforms. It’s user-friendly interface and supports for multiple protocols such as FTP, FTPS, SFTP, HTTP, and HTTPS, make it a versatile choice for organizations requiring reliable file management solutions.
The flaw resides in the handling of the login process, specifically at the /loginok.html endpoint. The system improperly processes NULL bytes within the username parameter.
This weakness allows attackers to inject malicious Lua code into session files, which are stored in a format resembling Lua scripts. Attackers can exploit this by appending a NULL byte to known usernames followed by malicious payloads, bypassing the server’s username validation logic and password authentication.
The strlen() function, used to determine the username length, terminates at the NULL byte, enabling the injection of arbitrary Lua code into session files. The vulnerability leverages the behavior of the c_CheckUser function, which returns an “OK_CHECK_CONNECTION” response regardless of the payload after the NULL byte, provided the part before the NULL matches an existing username.
Since WingFTP operates with high privileges—as root on Linux and SYSTEM on Windows—any code executed within these session files inherits full control over the system. Once the session file is loaded upon user login, the injected Lua code executes with elevated privileges. This could allow an attacker to run arbitrary commands, manipulate files, or install malicious software, posing a significant threat to affected systems.
Affected Versions
This critical vulnerability impacts WingFTP versions prior to the latest 7.4.4. Users running earlier versions should upgrade their WingFTP installation to the latest version to prevent potential exploitation of this critical flaw. Check out their official post on the upgrade process
This flaw showcases the importance of rigorous input validation and secure coding practices.
Keeping software up to date and staying informed about emerging threats is essential, including monitoring security advisories for main tools and software in use.
Check out RCE Security’s full post including analysis and proof of concept on their website post here.
Leave a Reply