CVE Database · CVE-2025-47812
CVSS v3.1
10.0
EPSS
95.34%
Published
Jul 10, 2025
Modified
Nov 5, 2025
CISA Known Exploited Vulnerability
Added: 2025-07-14 · Due: 2025-08-04
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Public PoC / Exploit (11)
All weaponized →Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.
Description
In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HWeaknesses (CWE)
Affected Products (1)
References (6)