Redazione RHC : 15 July 2025 10:09
This tool is intended solely for authorized educational and penetration testing purposes. The author assumes no responsibility for any misuse or damage caused by this software. Always ensure you have explicit, written authorization before performing any tests on a system.
In recent days, a serious Remote Code Execution vulnerability (CVE-2025-47812) has been brought to the attention of the infosec community in the WingFTP Server software, widely used to offer FTP, FTPS, and HTTP services to thousands of companies.
The exploit for this vulnerability, which involves severe NULL byte manipulation and Lua code injection, was tested by Manuel Roccon, root of Red Hot Cyber’s HackerHood group, who recently created a subgroup called Hackerhood Pwned where security experts will test the main exploits that are published.
The CVE-2025-47812 vulnerability — with CVSSv3=10.0 — involves a flaw in the handling of NULL-terminated strings in loginok.html, allowing an unauthenticated attacker to inject arbitrary Lua code and this exploit was found to be very easy to execute (3 on a scale from 1 to 10), confirming what NIST reported as LOW.
This vulnerability is due to Wing FTP Server’s improper handling of NULL bytes in the username parameter during the authentication process. This allows attackers to inject Lua code directly into session files. These malicious session files are then executed upon loading a valid session, resulting in arbitrary commands being executed on the server.
Key features of this exploit include:
The CVE-2025-47812 is a critical vulnerability resulting from multiple weaknesses in the way Wing FTP Server handles user authentication and sessions:
c_CheckUser(): The c_CheckUser() function, responsible for user authentication, internally uses strlen() the provided username. When a NULL byte ( %00) is injected into the username (e.g., anonymous%00...), strlen() truncates the string at this point. This means that authentication succeeds for the portion of the username before the NULL byte, effectively bypassing proper validation.rawset(_SESSION, "username", username) call within loginok.html uses the full username, unsanitized directly from the GET or POST parameters. This includes the NULL byte and all subsequent characters.anonymous%00]]%0dlocal+h+%3d+io.popen("id")%0dlocal+r+%3d+h%3aread("*a")%0dh%3aclose()%0dprint(r)%0d--) causes this malicious code to be written directly to the session file.SessionModule.load() function, invoked when accessing an authenticated functionality (such as /dir.html), directly executes the session file using loadfile(filepath) followed by f(). This crucial step activates the injected Lua code, leading to remote code execution (RCE).The Hackerhood/pwned group replicated the same technique in their lab, creating a visual demonstration of the attack, and released it online. The video clearly demonstrates the Lua injection, the payload download, and the execution, which opens an elevated shell. “This is how an unauthenticated attacker can, in seconds, gain full control of a WingFTP server.”
Urgent measures suggested to organizations:
Action Detail Immediate update Install version 7.4.4 of Wing FTP Server (available from May 14, 2025) Disable anonymous access Prevent anonymous FTP access, especially over HTTP/HTTPS Active monitoring Check files in session/*.luaand logs inDomains/*/*.logfor traces of Lua injectionsNetwork rules Restrict HTTP/HTTPS access to authorized clients only System administrators Enable antivirus/EDR such as Microsoft Defender and anomaly detection solutions
Redazione