Aperçu
Wing FTP Server versions 7.4.3 and earlier contain a critical command injection vulnerability in the login authentication mechanism. The vulnerability arises from improper handling of NULL bytes in the username parameter, allowing unauthenticated attackers to execute arbitrary system commands with elevated privileges when anonymous login is enabled. This is a pre-authentication remote code execution vulnerability with no user interaction required. La vulnérabilité a été divulguée le July 10, 2025. CISA a identifié CVE-2025-47812 comme étant exploitée mais n'est pas actuellement connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
Wing FTP Server fails to properly sanitize NULL byte characters in the username parameter during the FTP login process. An attacker can craft a specially-formed username containing NULL bytes that bypasses authentication validation, allowing arbitrary shell command injection. When anonymous login is enabled on the server, the attacker can authenticate without valid credentials and execute system commands with the privileges of the FTP server process, typically SYSTEM on Windows or root on Linux installations.
La vulnérabilité est classifiée comme CWE-78 (Improper Neutralization of Special Elements used in an OS Command) , CWE-158 (Improper Neutralization of Null Byte or NUL Character) etCWE-434 (Unrestricted Upload of File with Dangerous Type) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indiquant sa nature critical.
Impact
A remote, unauthenticated attacker can execute arbitrary operating system commands with the privileges of the Wing FTP Server process. This typically results in complete system compromise, allowing the attacker to: read, modify, or delete arbitrary files; install malware or persistence mechanisms; pivot to other systems on the network; exfiltrate sensitive data; disrupt service availability; or establish reverse shells for ongoing access. The scope changes because the attack can impact resources beyond the vulnerable component.
Mitigation et contournements
Wing Software has released version 7.4.4 which addresses the NULL byte handling vulnerability. Users should upgrade immediately via the official Wing Software website (www.wingsftpserver.com). Download the latest installer or update package and follow the installation instructions. For managed installations, ensure update verification is performed to confirm the patched version is installed. Les versions suivantes incluent les correctifs nécessaires : Wing FTP Server 7.4.4 or later.
Comme contournements temporaires : disable anonymous login on the ftp server if not required for legitimate operations. this prevents unauthenticated access and exploitation of the vulnerability.; implement network-level access controls to restrict ftp connections (port 21) to trusted ip addresses or networks only using firewall rules or access control lists.; deploy a web application firewall (waf) or ids/ips capable of detecting and blocking ftp commands containing null bytes or suspicious authentication attempts., et run wing ftp server with minimal privileges using a dedicated unprivileged user account instead of system administrator/root. while this does not prevent exploitation, it limits the damage an attacker can cause..
Recommandation de CISA : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Ressources additionnelles
Source : Ce rapport a été généré par IA
