CVE-2025-47812

unknown KEV

Published 2025-07-14 · Modified 2025-07-14

CVSS v3

—

CVSS v2

—

VIR risk

1.5

Description

Wing FTP Server contains an improper neutralization of null byte or NUL character vulnerability that can allow injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default).

CISA KEV

Vendor: Wing FTP Server
Product: Wing FTP Server
Due date: 2025-08-04

Predictions

Exploit likelihood

99%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cisa-kev — https://www.wftpserver.com/serverhistory.htm ; https://nvd.nist.gov/vuln/detail/CVE-2025-47812

Exploits

References

https://www.wftpserver.com/serverhistory.htm ; https://nvd.nist.gov/vuln/detail/CVE-2025-47812

Verify integrity in audit chain (admin only). AS-IS.