CVE-2025-47812: Wing FTP Server Remote Code Execution Vulnerability

1. Summary of vulnerabilities

CVE-2025-47812 yes Wing FTP Server A critical Remote Code Execution (RCE) vulnerability exists. The vulnerability stems from the server failing to properly filter for Null Byte (NB) when processing user input in the web administration interface. \0 maybe %00).

An attacker can inject malicious code into a server's session files by injecting null bytes and malicious Lua script code into the username parameter, bypassing the authentication logic or utilizing an anonymous login mechanism. When the server subsequently loads the session file, the injected Lua code is parsed and executed.

Since Wing FTP Server runs with elevated privileges (SYSTEM on Windows, Root on Linux/Unix) by default, a successful exploitation of this vulnerability will directly lead to the followingThe servers are completely down.. The vulnerability has been monitored for in-the-wild exploitation activity on the Internet.

Vulnerability Impact Assessment:

 

2. Vulnerability analysis

2.1 Vulnerability Principles

The vulnerability centers around an inconsistency in string handling between Wing FTP Server's web interface (specifically the component that handles login logic) and the underlying session management mechanism.

1. input point: The vulnerability triggers are located in the interface that handles the user's login request, primarily the POST /loginok.html.

2. null byte truncation: The back-end C++ authentication module encounters a null byte when validating a username (\0) i.e., it stops reading. This means that if an attacker submits username=anonymous%00[恶意代码]The authentication module only reads anonymous, thus allowing authentication (assuming anonymous access is enabled or a valid username is used).

3. Lua Injection: Although the authentication module is truncated for spoofing, the module responsible for writing the user's information to the session file (usually stored in Lua script format) is not truncated by a null byte, but instead theComplete String(including malicious code after null bytes) was written to a session file on disk.

4. code execution: Wing FTP uses Lua scripts to manage session state. When users visit other pages (such as /dir.html) When a session load is triggered, the server parses and executes the Lua code in the session file, which triggers the RCE.

2.2 Attack Vector

• Attack path: Network Remote Attack (Network).

• authority requirement: High privileges are not required. If the server is enabled for anonymous login (Anonymous), the attacker can be completely unauthenticated to exploit; if not, the attacker only needs to have a low-privilege ordinary account to lift the power.

• interactivity: No user interaction required (Zero-click).

3. Impact of vulnerabilities

3.1 Technological impacts

• Full system control: An attacker can execute arbitrary system commands.

• Elevation of Privileges: The malicious code inherits the permissions of the Wing FTP service, usually NT AUTHORITY\SYSTEM (Windows) or root (Linux).

• Persistence and Lateral Movements: Attackers can use this vulnerability to install backdoors, ransomware, or as a springboard to attack other assets on the intranet.

3.2 Operational impact

• data breach: All sensitive files (source code, financial data, personal information, etc.) stored on the FTP server are at risk of being stolen.

• service interruption: Attackers can delete files or encrypt data (ransomware), paralyzing business.

• compliance risk: Causes an organization to violate laws and regulations such as GDPR, HIPAA, or class protection.

4. Exploit analysis and validation

Warning: This section is intended for security research and defense verification only, and is strictly prohibited for use in illegal attacks.

4.1 Proof of Concept Logic (PoC Logic)

The attack process is divided into two main HTTP request phases:

Step 1: Injecting a Malicious Session (Payload Delivery)

The attacker sends a POST request to /loginok.html.

• Header: Content-Type: application/x-www-form-urlencoded

• Payload (schematic):

  Plaintext

  username=ValidUser%00';os.execute('calc.exe');--&password=AnyPassword
  

  analyze:ValidUser Passed the validation check.%00 The Lua code is then written to the session file.

Step 2: Trigger Code Execution (Trigger)

The attacker carries the cookie (Session ID) returned in step 1 to any page that requires authentication, such as /dir.html.

• Server loads session file -> parses Lua code -> executes os.execute('calc.exe').

4.2 Validation methods

Log Audit:

Check Wing FTP's Access Logs or system logs for the following characteristics:

1. right loginok.html The POST data in the request contains %00 or hexadecimal 0x00.

2. Session files containing unusual Lua syntax appear in the Session directory.

3. Server processes (wftpserver.exe) produced unintended child processes (such as the cmd.exe, powershell.exe, sh, bash).

Network traffic analysis:

在 WAF 或 IDS/IPS 上监控 HTTP POST 请求体，匹配正则表达式规则：username=.*%00.*。

5. Vulnerability solutions

5.1 Official Fixes (Recommended)

The vendor, Wing Soft, has released a security update to fix this vulnerability.