CVE-2025-47812 PoC — Wing FTP Server 7.4.3及安全漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-47812.yaml

Associated Vulnerability

Title:Wing FTP Server 7.4.3及安全漏洞 (CVE-2025-47812)
Description:Wing FTP Server是Wing FTP Server开源的一套跨平台的FTP服务器软件。 Wing FTP Server 7.4.3版本及之前版本存在安全漏洞。攻击者利用该漏洞可以远程执行代码。

Description

Wing FTP Server versions prior to 7.4.4 are vulnerable to an unauthenticated remote code execution (RCE) flaw (CVE-2025-47812).
The vulnerability arises from improper NULL byte handling in the 'username' parameter during login, which allows Lua code injection
into session files. These injected session files are executed when accessing authenticated endpoints such as /dir.html, resulting
in arbitrary command execution with elevated privileges. This attack is possible only when anonymous login is enabled on the server.

File Snapshot


 id: CVE-2025-47812

info:
  name: Wing FTP Server <= 7.4.3 - Remote Code Execution
  author: rcesecu

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2025-47812 PoC — Wing FTP Server 7.4.3及 安全漏洞