CVE-2025-47812
BaseFortify
Publication date: 2025-07-10
Last updated on: 2025-11-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wftpserver | wing_ftp_server | to 7.4.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-158 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Wing FTP Server versions before 7.4.4, where the user and admin web interfaces improperly handle '\0' bytes. This flaw allows attackers to inject arbitrary Lua code into user session files, leading to remote code execution with the privileges of the FTP service, which are typically root or SYSTEM. The vulnerability can be exploited even through anonymous FTP accounts.
How can this vulnerability impact me? :
The vulnerability can lead to a total server compromise by allowing attackers to execute arbitrary system commands with high-level privileges (root or SYSTEM). This means an attacker can take full control of the affected server remotely, potentially leading to data theft, service disruption, or further attacks within the network.