Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2025-47812 PoC — Wing FTP Server 7.4.3及 安全漏洞

Source
https://github.com/B1ack4sh/Blackash-CVE-2025-47812
Associated Vulnerability
Title:Wing FTP Server 7.4.3及 安全漏洞 (CVE-2025-47812)
Description:In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.
Description
CVE-2025-47812
Readme
# 🛡️ CVE-2025-47812 – Critical RCE in Wing FTP Server 🛡️

#### 🔎 Overview:

CVE-2025-47812 is a **critical remote code execution (RCE)** vulnerability affecting **Wing FTP Server** versions prior to **7.4.4**. It was discovered by a security researcher and has been confirmed to be **actively exploited in the wild**.

---

### 🧱 Root Cause:

The vulnerability lies in the **authentication logic** of Wing FTP Server, specifically in how it handles **null bytes (`\0`)** in the **`username`** parameter.

Attackers can inject **arbitrary Lua code** through the username field, which the server will write into the session file. When this session file is processed later, the **injected Lua code gets executed**, allowing attackers to run system-level commands.

---

### 🚨 Impact:

* **Severity**: CVSS score of **10.0** (Critical)
* **Access Required**: Unauthenticated or anonymous access is sufficient
* **Exploitation**: Confirmed active exploitation
* **Privileges Gained**: Code runs as **SYSTEM** (Windows) or **root** (Linux/macOS)
* **Affected Platforms**: Windows, Linux, and macOS

---

### 🔧 Mitigation:

* **Update immediately** to **Wing FTP Server version 7.4.4** or later.
* Ensure **public-facing FTP servers** are not exposing `/loginok.html` to untrusted networks.
* Monitor logs for unusual usernames or Lua code injections.
* Implement **network segmentation** to isolate FTP services from internal infrastructure.

---

### 💀 Exploit:

```
┌──(kali㉿kali)-[~]
└─$ sudo python3 CVE-2025-47812.py
============================================================
   CVE-2025-47812 - Wing FTP Server RCE Exploit
============================================================
Target URL (e.g., http://localhost:5466): http://10.10.10.10
Username (e.g., anonymous): anonymous
1) Run Command
2) Get Reverse Shell
Your choice (1 or 2): 1
Command to execute (default: whoami): id
[*] Trying to get UID... Payload: id
[*] UID obtained: 1c3be4345d468da6443947f479c569978ec568a693d569774e7
[*] Sending /dir.html request...
[*] HTTP 200
------ Response Start ------
uid=0(root) gid=0(root) groups=0(root)
<?xml version="1.0" encoding="UTF-8" ?>
<alldata><nowdir><![CDATA[/]]></nowdir>
<dirdata>
</dirdata>
<nowquota>0</nowquota>
<maxquota>0</maxquota>
<readfile>1</readfile>
</alldata>


------ Response End ------
```

---

### ⚠️ Disclaimer

This exploit is provided for educational purposes only.
Use it responsibly and only on systems you have explicit permission to test.
The author is not responsible for any misuse or damage caused by this tool.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →