Wing FTP Server RCE (CVE-2025-47812)
Description
Wing FTP Server contains a critical remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code on the server. The vulnerability stems from improper sanitization of NULL bytes in the username parameter during authentication. Attackers can exploit this flaw to inject malicious Lua code into session files, which is subsequently executed by the server with the privileges of the FTP service.
Remediation
Apply the following remediation steps immediately:
1. Upgrade Wing FTP Server to the latest patched version that addresses CVE-2025-47812. Consult the vendor's security advisories for the specific version number.
2. If immediate patching is not possible, implement the following temporary mitigations:
- Restrict network access to the Wing FTP Server using firewall rules, allowing only trusted IP addresses
- Place the server behind a Web Application Firewall (WAF) or reverse proxy that can filter malicious input
- Monitor server logs for suspicious login attempts containing unusual characters or NULL bytes
3. After patching, review system logs and session files for indicators of compromise, including unexpected Lua code execution or unauthorized access attempts.
4. Implement defense-in-depth measures such as running the FTP service with minimal privileges and enabling comprehensive logging and monitoring.