WingFTP username null byte command execution

Added: 07/02/2025

Background

Wing FTP Server is free FTP server software for Windows, Linux, and Mac OS.

Problem

A command injection vulnerability allows a remote unauthenticated attacker to execute arbitrary commands by sending a username with a null byte in a login request.

Resolution

Upgrade to Wing FTP Server 7.4.4 or higher.

References

https://packetstorm.news/files/id/204946/

Back to exploit index