CVE-2025-47812: A reminder why managed SFTP matters

A critical vulnerability has been disclosed in Wing FTP Server (CVE-2025-47812), affecting all versions prior to 7.4.4. It lets attackers inject Lua code into session files through improperly handled null bytes (\0) in the user and admin web interfaces. 

Once exploited, the attacker can execute arbitrary system commands with root or SYSTEM privileges, effectively taking full control of the server. No login required, and even anonymous FTP access is enough to trigger it.

Is CVE-2025-47812 serious?

It is. This is a CVSS 10.0 critical vulnerability: trivial to exploit, but with total system compromise as the impact.

Anyone running an affected version of Wing FTP, especially with exposed admin panels or enabled anonymous login, should consider this a serious risk. Patch now, audit access logs, and if you’re self-hosting, review how your FTP stack handles user input and session persistence.

SFTP To Go is not affected.

No. We don’t use Wing FTP Server. We don’t expose user-facing admin panels. We don’t run Lua. And we don’t support anonymous access. 

Our service is built on cloud-native architecture with hardened components and limited attack surface, no session files or scriptable backdoors waiting to be exploited.

If you're managing your own FTP server, this is a good moment to check your version, your configurations, and your exposure. If you're using a managed file transfer platform like ours, this is the kind of threat you simply don’t have to worry about.

SFTP To Go gives you encrypted cloud SFTP, built-in storage, user access controls, and audit logging, all without managing a single server. Updates like this one are someone else’s problem. And that’s kind of the point.

Cloud FTP with maximum security and reliability
SFTP To Go offers managed cloud storage service - highly available, reliable and secure. Great for companies of any size, any scale.

Try SFTP To Go for free!

CVE-2025-47812: FAQ

Frequently asked questions

What is CVE-2025-47812?

It’s a critical remote code execution vulnerability in Wing FTP Server (versions prior to 7.4.4). It allows attackers to inject Lua code into session files by exploiting null byte parsing in web interfaces—leading to full system compromise.

Does CVE-2025-47812 affect SFTP To Go?

No. SFTP To Go does not use Wing FTP Server, Lua scripting, or expose admin interfaces. We are not impacted.

Is anonymous FTP access a risk factor for CVE-2025-47812?

Yes. The exploit can be triggered by anonymous users. If you're running Wing FTP with that enabled, update and lock it down immediately.

What makes SFTP To Go safe from CVE-2025-47812?

We're cloud-native, with no local session files, no Lua, no admin interface exposure, and no anonymous access. Our infrastructure is built to avoid this entire class of vulnerability.

Do I need to take action against CVE-2025-47812 as a user of SFTP To Go?

No. There's nothing for you to patch or configure. This threat doesn't touch our platform.