Wing FTP < 7.4.4 Remote Code Execution

critical Web App Scanning Plugin ID 114925

Synopsis

Wing FTP < 7.4.4 Remote Code Execution

Description

Wing FTP version 7.4.2 and earlier is vulnerable to a remote code execution vulnerability due to improper handling of null characters in file paths. An attacker can exploit this vulnerability by sending a specially crafted request that includes a null character, allowing them to execute arbitrary commands on the server.

Solution

Upgrade to Wing FTP version 7.4.4 or later.

See Also

https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/

Plugin Details

Severity: Critical

ID: 114925

Type: remote

Published: 7/28/2025

Updated: 7/28/2025

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Critical

Score: 10.0

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-47812

CVSS v3

Risk Factor: Critical

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS Score Source: CVE-2025-47812

Vulnerability Information

CPE: cpe:2.3:a:wftpserver:wing_ftp_server:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/14/2025

Vulnerability Publication Date: 6/29/2025

CISA Known Exploited Vulnerability Due Dates: 8/4/2025

Reference Information

CVE: CVE-2025-47812