A critical arbitrary code execution vulnerability in Wing FTP Server allows an authenticated attacker to gain complete control of the affected system.

The vulnerability exists because the user and admin web interfaces improperly handle null byte (\0) characters. An authenticated attacker can exploit this flaw to inject arbitrary Lua code into user session files, leading to code execution with the privileges of the server application.

A successful exploit of this vulnerability would grant an attacker complete control over the server, resulting in a full system compromise. The CVSS score of 10.0 (Critical) reflects the maximum possible impact, including the potential for total data confidentiality, integrity, and availability loss. This could lead to severe data breaches, service disruption, and the server being used as a pivot point for further attacks within the network.

Immediate Action: Administrators must update all vulnerable instances of Wing FTP Server to version 7.4.4 or later immediately to mitigate this vulnerability.

Proactive Monitoring: Review server logs for unusual activity, specifically focusing on session file modifications and unexpected processes spawned by the FTP server application. Monitor for anomalous login patterns or session data.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules designed to detect and block null byte injection attacks as a temporary mitigating control until patching can be completed.

Public Exploit Available: Not Specified

Given the critical severity (CVSS 10.0) and the risk of complete system compromise, this vulnerability poses an extreme threat to the organization. We strongly recommend that administrators prioritize applying the security update to version 7.4.4 or later immediately. Delaying this action leaves critical server infrastructure exposed to a high-impact takeover.