Wing FTP Server Woes: Unauthenticated RCE Vulnerability Unleashed!
Wing FTP Server versions up to 7.4.3 have a remote code execution flaw, CVE-2025-47812. Exploiting this involves injecting Lua code via the username field, resulting in unauthorized command execution. If your server suddenly starts acting like it’s auditioning for a hacker movie, it might be time to update!
Hot Take:
Well, it seems Wing FTP Server has really spread its wings – and not in a good way! This unauthenticated remote code execution flaw is basically letting anyone and their grandma run arbitrary code on your server. It’s like handing over your house keys and expecting them not to raid the fridge. Time to update or risk turning your server into a playground for cyber mischief!
Key Points:
- Wing FTP Server versions up to 7.4.3 are vulnerable to remote code execution.
- The vulnerability is due to improper handling of NULL bytes in the ‘username’ parameter.
- Exploiting this flaw allows attackers to inject and execute Lua code with elevated privileges.
- The exploit works through a POST request to loginok.html and a subsequent GET request to dir.html.
- This issue affects both Linux (root privileges) and Windows (SYSTEM privileges) environments.
Already a member? Log in here