CVE-2025-47812

CRITICAL KEV NUCLEI

Wing FTP Server NULL-byte Authentication Bypass (CVE-2025-47812)

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2025-47812 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added July 14, 2025. EIP tracks 24 public exploits from researchers including 4m3rr0r, 0xcan1337, XiaomingX, including a Metasploit module exploits/multi/http/wingftp_null_byte_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages a NULL byte injection in the username parameter during login to inject Lua code into session files, which is executed when accessing authenticated functionalities, leading to unauthenticated RCE in Wing FTP Server <= 7.4.3.

Description

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

Exploits (24)

exploitdb WORKING POC
by 4m3rr0r · pythonremotemultiple
https://www.exploit-db.com/exploits/52347

This exploit leverages a NULL byte injection in the username parameter during login to inject Lua code into session files, which is executed when accessing authenticated functionalities, leading to unauthenticated RCE in Wing FTP Server <= 7.4.3.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wing FTP Server <= 7.4.3
No auth needed
Prerequisites: Network access to the target server · Wing FTP Server version <= 7.4.3
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 43 stars
by 4m3rr0r · remote
https://github.com/4m3rr0r/CVE-2025-47812-poc

This repository contains a functional Python exploit for CVE-2025-47812, targeting Wing FTP Server <= 7.4.3. The exploit leverages NULL byte injection in the username parameter to achieve unauthenticated remote code execution via Lua code injection in session files.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wing FTP Server <= 7.4.3
No auth needed
Prerequisites: Network access to the target server · Wing FTP Server version <= 7.4.3
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 12 stars
by 0xcan1337 · remote
https://github.com/0xcan1337/CVE-2025-47812-poC

This repository contains a functional exploit for CVE-2025-47812, targeting Wing FTP Server versions 7.4.3 and earlier. The exploit leverages improper handling of NULL bytes in the username parameter to inject Lua code, enabling remote command execution and reverse shell establishment.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wing FTP Server <= 7.4.3
No auth needed
Prerequisites: Network access to the target server · Wing FTP Server version 7.4.3 or earlier
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2025/CVE-2025-47812

The repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The exploit includes data extraction logic for admin credentials and password hashes.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress Quiz Maker <= 6.7.0.56
No auth needed
Prerequisites: target WordPress URL · path to quiz page · injection header (default: X-Forwarded-For)
devstral-2 · analyzed Feb 27, 2026 Full analysis →
github WRITEUP 7 stars
by cybersecplayground · poc
https://github.com/cybersecplayground/PoC-and-CVE-Reports/tree/main/2025/CVE-2025-47812.md

The repository contains detailed technical writeups for multiple CVEs, including command injection, XXE, SQLi, and RCE vulnerabilities. Each writeup includes vulnerability descriptions, proof-of-concept examples, mitigation recommendations, and references to external resources.

Classification
Writeup 95%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Various (e.g., account_mgr.cgi, Ivanti Connect Secure, Zabbix, Check Point VPN, Bricks Builder)
No auth needed
Prerequisites: Access to vulnerable endpoints · Basic understanding of exploit techniques
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 3 stars
by 0xgh057r3c0n · remote
https://github.com/0xgh057r3c0n/CVE-2025-47812

This repository contains a functional exploit for CVE-2025-47812, targeting Wing FTP Server <= 7.4.3 via Lua injection in the login handler. The exploit allows remote command execution and includes options for both single commands and reverse shells.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wing FTP Server <= 7.4.3
No auth needed
Prerequisites: Network access to the target server · Python 3.6 or higher · requests library
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github WORKING POC 2 stars
by shadowgit30 · pythonremote
https://github.com/shadowgit30/CVE-2025-47812

This repository contains a functional Python exploit for CVE-2025-47812, targeting Wing FTP Server versions prior to 7.4.4. The exploit leverages a null byte injection in the username parameter to achieve unauthenticated remote code execution (RCE) via Lua code injection.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wing FTP Server < 7.4.4
No auth needed
Prerequisites: Target must be running Wing FTP Server < 7.4.4 · Anonymous login must be enabled
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github WORKING POC 1 stars
by Nara-sakurai · pythonremote
https://github.com/Nara-sakurai/CVE-2025-47812-PoC

This repository contains a functional Python exploit for CVE-2025-47812, targeting Wing FTP Server < 7.4.4. The exploit leverages improper null byte handling in the login endpoint to inject Lua code into session files, enabling unauthenticated remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wing FTP Server < 7.4.4
No auth needed
Prerequisites: Network access to the target server · Python 3.7+ with requests library
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 1 stars
by r0otk3r · remote
https://github.com/r0otk3r/CVE-2025-47812

This repository contains a functional exploit for CVE-2025-47812, targeting Wing FTP Server versions before 7.4.4. The exploit leverages a Lua injection vulnerability via null byte manipulation in the login input to achieve remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wing FTP Server < 7.4.4
No auth needed
Prerequisites: Anonymous login enabled or valid credentials · Network access to the target server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github WORKING POC
by 0xS4N4TG · remote
https://github.com/0xS4N4TG/CVE-2025-47812

This repository contains a functional Python exploit for CVE-2025-47812, an unauthenticated RCE vulnerability in Wing FTP Server ≤ 7.4.3. The exploit leverages a NULL-byte injection in the username field to inject Lua code into a session file, which is then executed when accessing authenticated endpoints.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wing FTP Server ≤ 7.4.3
No auth needed
Prerequisites: Target must be running Wing FTP Server ≤ 7.4.3 · Network access to the target's web interface (default port 5466)
devstral-2 · analyzed May 24, 2026 Full analysis →
github SCANNER
by H3XploR · cremote
https://github.com/H3XploR/Exploit_CVE-2025-47812

The repository contains a simple C program that sends a basic HTTP GET request to a target IP but does not demonstrate exploitation of CVE-2025-47812. It lacks payload delivery or exploitation logic, functioning more as a network scanner.

Classification
Scanner 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Wing FTP Server 7.4.3
No auth needed
Prerequisites: target IP address
devstral-2 · analyzed Apr 25, 2026 Full analysis →
nomisec WRITEUP
by Majdae · poc
https://github.com/Majdae/CVE-2025-47812-Research

This repository provides a technical analysis of CVE-2025-47812, a critical RCE vulnerability in Wing FTP Server via Lua injection. It includes a detailed report with static and dynamic analysis but does not contain exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Wing FTP Server < 7.4.4
No auth needed
Prerequisites: Wing FTP Server < 7.4.4 · Lua injection vector
devstral-2 · analyzed Apr 10, 2026 Full analysis →
nomisec WORKING POC
by 0xjuarez · remote
https://github.com/0xjuarez/CVE-2025-47812

This repository contains a functional Python exploit for CVE-2025-47812, targeting Wing FTP Server <= 7.4.3. The exploit leverages unauthenticated Lua code injection via crafted login requests to achieve remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wing FTP Server <= 7.4.3
No auth needed
Prerequisites: network access to target server · Python 3.x environment
devstral-2 · analyzed Feb 24, 2026 Full analysis →
nomisec WORKING POC
by popyue · remote
https://github.com/popyue/CVE-2025-47812

This repository contains a functional exploit for CVE-2025-47812, which leverages a NULL byte authentication bypass and Lua code injection in Wing FTP Server to achieve unauthenticated remote code execution. The exploit includes detailed technical analysis and a Python script to execute commands, spawn shells, or dump sensitive files.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wing FTP Server <= 7.4.3
No auth needed
Prerequisites: Python 3.10+ · requests library · urllib3 library
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WORKING POC
by estebanzarate · remote
https://github.com/estebanzarate/CVE-2025-47812-Wing-FTP-Server-7.4.3-Unauthenticated-RCE-PoC

This repository contains a functional Python exploit for CVE-2025-47812, demonstrating unauthenticated remote code execution in Wing FTP Server <= 7.4.3 via NULL byte injection in the username parameter, leading to Lua code execution in session files.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wing FTP Server <= 7.4.3
No auth needed
Prerequisites: Network access to the target server · Python 3 with requests and prompt_toolkit libraries
devstral-2 · analyzed Feb 20, 2026 Full analysis →
nomisec WORKING POC
by havbay · poc
https://github.com/havbay/CVE-2025-47812-PoC

This repository contains a functional Python exploit for CVE-2025-47812, targeting Wing FTP Server < 7.4.4. The exploit leverages null byte injection in the login endpoint to achieve unauthenticated remote code execution via Lua code injection.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wing FTP Server < 7.4.4
No auth needed
Prerequisites: Python 3.7+ · requests library · target server reachable on port 5466
devstral-2 · analyzed Apr 09, 2026 Full analysis →
nomisec WORKING POC
by matesz44 · remote
https://github.com/matesz44/CVE-2025-47812

This script exploits an unauthenticated remote code execution vulnerability in Wing FTP Server 7.4.3 by injecting a Lua payload into the login request via the username parameter, then retrieving the command output via a crafted cookie. The exploit leverages a command injection flaw in the authentication mechanism.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wing FTP Server 7.4.3
No auth needed
Prerequisites: curl · anonymous access enabled
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER
by rxerium · poc
https://github.com/rxerium/CVE-2025-47812

This repository contains a Nuclei template for detecting Wing FTP Server versions vulnerable to CVE-2025-47812 by checking the version in the web client's HTML response. It does not include an exploit but scans for vulnerable versions.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Wing FTP Server < 7.4.4
No auth needed
Prerequisites: Access to the Wing FTP Server web interface
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by dkstar11q · poc
https://github.com/dkstar11q/Blackash-CVE-2025-47812

The repository contains a functional exploit for CVE-2025-47812, targeting Wing FTP Server. The exploit leverages a null byte injection in the username parameter to execute arbitrary Lua code, leading to remote command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wing FTP Server < 7.4.4
No auth needed
Prerequisites: Network access to the target server · Wing FTP Server with vulnerable version
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by blindma1den · remote
https://github.com/blindma1den/CVE-2025-47812

This repository contains a functional Python exploit for CVE-2025-47812, targeting Wing FTP Server < 7.4.4. The exploit leverages improper handling of null bytes in the login form to inject Lua code into session files, enabling unauthenticated remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wing FTP Server < 7.4.4
No auth needed
Prerequisites: Python 3.7+ · requests module · network access to target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by pevinkumar10 · remote
https://github.com/pevinkumar10/CVE-2025-47812

This repository contains a functional exploit for CVE-2025-47812, which leverages improper input validation in Wing FTP Server to achieve unauthenticated remote code execution via NULL byte injection in usernames, leading to Lua payload execution in session files.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wing FTP Server <= 7.4.3
No auth needed
Prerequisites: Target running Wing FTP Server <= 7.4.3 · Anonymous login enabled or valid credentials
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by ill-deed · remote
https://github.com/ill-deed/WingFTP-CVE-2025-47812-illdeed

This repository contains a functional Python exploit for CVE-2025-47812, targeting Wing FTP Server. The exploit leverages a Lua injection vulnerability in the username parameter during authentication to achieve remote command execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wing FTP Server
No auth needed
Prerequisites: Network access to the target Wing FTP Server · Target server must be running a vulnerable version of Wing FTP Server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Valentin Lobstein, Julien Ahrens · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wingftp_null_byte_rce.rb

This Metasploit module exploits a NULL-byte truncation vulnerability in Wing FTP Server (CVE-2025-47812) to bypass authentication and inject arbitrary Lua code, leading to remote code execution with root/SYSTEM privileges.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wing FTP Server < 7.4.4
Auth required
Prerequisites: Valid username for authentication · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/ftp/wing_ftp_admin_exec.rb

This Metasploit module exploits an authenticated command execution vulnerability in Wing FTP Server's admin web interface by leveraging the embedded Lua interpreter to execute arbitrary system commands via `os.execute()`. It supports both PowerShell and VBS-based payload delivery.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wing FTP Server >= 3.0.0
Auth required
Prerequisites: Valid admin credentials · Access to the admin web interface (port 5466 by default)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Wing FTP Server <= 7.4.3 - Remote Code Execution
CRITICALVERIFIEDby rcesecurity,4m3rr0r
Shodan: http.html_hash:2121146066 || http.favicon.hash:963565804 || title:"Wing FTP Server" || Server: Wing FTP Server
FOFA: icon_hash="963565804" || title="Wing FTP Server" || Server: Wing FTP Server

References (6)

Core 6

Scores

CVSS v3 10.0
EPSS 0.9293
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2025-07-14
VulnCheck KEV 2025-07-10
ENISA EUVD EUVD-2025-21009
CWE
CWE-158
Status published
Products (1)
wftpserver/wing_ftp_server < 7.4.4
Published Jul 10, 2025
KEV Added Jul 14, 2025
Tracked Since Feb 18, 2026