Overview
Wing FTP Server versions 7.4.3 and earlier contain a critical command injection vulnerability in the login authentication mechanism. The vulnerability arises from improper handling of NULL bytes in the username parameter, allowing unauthenticated attackers to execute arbitrary system commands with elevated privileges when anonymous login is enabled. This is a pre-authentication remote code execution vulnerability with no user interaction required. The vulnerability was disclosed on July 10, 2025. CISA has identified CVE-2025-47812 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
Wing FTP Server fails to properly sanitize NULL byte characters in the username parameter during the FTP login process. An attacker can craft a specially-formed username containing NULL bytes that bypasses authentication validation, allowing arbitrary shell command injection. When anonymous login is enabled on the server, the attacker can authenticate without valid credentials and execute system commands with the privileges of the FTP server process, typically SYSTEM on Windows or root on Linux installations.
The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command) , CWE-158 (Improper Neutralization of Null Byte or NUL Character) andCWE-434 (Unrestricted Upload of File with Dangerous Type) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating its critical nature.
Impact
A remote, unauthenticated attacker can execute arbitrary operating system commands with the privileges of the Wing FTP Server process. This typically results in complete system compromise, allowing the attacker to: read, modify, or delete arbitrary files; install malware or persistence mechanisms; pivot to other systems on the network; exfiltrate sensitive data; disrupt service availability; or establish reverse shells for ongoing access. The scope changes because the attack can impact resources beyond the vulnerable component.
Mitigation and workarounds
Wing Software has released version 7.4.4 which addresses the NULL byte handling vulnerability. Users should upgrade immediately via the official Wing Software website (www.wingsftpserver.com). Download the latest installer or update package and follow the installation instructions. For managed installations, ensure update verification is performed to confirm the patched version is installed. The following versions include the necessary fixes: Wing FTP Server 7.4.4 or later.
As temporary workarounds: disable anonymous login on the ftp server if not required for legitimate operations. this prevents unauthenticated access and exploitation of the vulnerability.; implement network-level access controls to restrict ftp connections (port 21) to trusted ip addresses or networks only using firewall rules or access control lists.; deploy a web application firewall (waf) or ids/ips capable of detecting and blocking ftp commands containing null bytes or suspicious authentication attempts., and run wing ftp server with minimal privileges using a dedicated unprivileged user account instead of system administrator/root. while this does not prevent exploitation, it limits the damage an attacker can cause..
CISA's recommendation: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Additional resources
Source: This report was generated using AI
