CVE-2025-47812

Analyzed
Published: 10 Jul 2025, 00:00
Last modified:26 Feb 2026, 17:50

Vulnerability Summary

Overall Risk (default)
critical
90/100
CVSS Score
10 CRITICAL
v3.1 (cve.org)
EPSS Score
92.27% CRITICAL
92% probability -0.19%
KEV
Listed
CISA
1 listing
Ransomware
No reports
Public exploits
5 found
Dark Web
Not detected

Timeline

10 Jul 2025, 00:00
Published
Vulnerability first disclosed
14 Jul 2025, 00:00
Added to CISA KEV
Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability
04 Aug 2025, 00:00
CISA Remediation Due
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
26 Feb 2026, 17:50
Last Modified
Vulnerability information updated

Description

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

CVSS Metrics

  • v3.1CRITICALScore: 10CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 92.27% Percentile: 100%

Techniques & Countermeasures

  • CWE-158Improper Neutralization of Null Byte or NUL Character

    The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.

Affected Systems

  • wftpserverwing ftp server

    < 7.4.4

References (6)