Full Report
Wing FTP security advisory (AV25-391) - Update 2
Analysis Summary
# Vulnerability: Wing FTP Server Critical Remote Code Execution (RCE)
## CVE Details
- **CVE ID:** CVE-2025-47812 / CVE-2025-47813
- **CVSS Score:** 10.0 (Critical)
- **CWE:** Not specified (Typically associated with Improper Input Validation or OS Command Injection)
## Affected Systems
- **Products:** Wing FTP Server
- **Versions:** v7.4.3 and all prior versions
- **Configurations:** Default installations of the Wing FTP Server administrative interface or service.
## Vulnerability Description
While the advisory does not provide a baseline technical deep-dive, the categorization as a **Remote Code Execution (RCE)** vulnerability with a CVSS 10.0 indicates that an unauthenticated or low-privileged attacker can execute arbitrary commands on the underlying host operating system. Based on its inclusion in the CISA KEV, it likely involves a flaw in the web-based management interface or the handling of protocol-specific commands that allows for system-level compromise.
## Exploitation
- **Status:** **Exploited in the Wild.** Proof-of-concept (PoC) code is available, and CISA has confirmed active exploitation (KEV Catalog).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Total (Full access to all files and data stored on the FTP server)
- **Integrity:** Total (Attacker can modify or delete files and system configurations)
- **Availability:** Total (Attacker can shut down services or render the system unusable)
## Remediation
### Patches
- **Wing FTP Server v7.4.4:** Users must upgrade to version 7.4.4 or later immediately to resolve these vulnerabilities.
### Workarounds
- **Network Segmentation:** Restrict access to the Wing FTP administrative interface (typically port 5466) to trusted IP addresses only.
- **Service Restriction:** Disable any unnecessary protocols or administrative features if they are not required for business operations.
## Detection
- **Indicators of Compromise:**
- Presence of unrecognized administrative accounts.
- Unusual process execution (e.g., cmd.exe or /bin/sh) spawned by the Wing FTP service process.
- Modified system files or unexpected scripts in the web document root.
- **Detection Methods:**
- Review Wing FTP Server logs for suspicious requests to the admin interface.
- Monitor network traffic for unauthorized connections to management ports.
- Use CISA’s KEV catalog to cross-reference known malicious patterns.
## References
- Wing FTP Server History: hxxps[://]www[.]wftpserver[.]com/serverhistory[.]htm
- CISA Known Exploited Vulnerabilities Catalog: hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- Canadian Centre for Cyber Security Advisory: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/wing-ftp-security-advisory-av25-391