**Name of the Vulnerable Software and Affected Versions:**

Wing FTP Server versions prior to 7.4.4

**Description:**

Wing FTP Server is vulnerable to a remote code execution (RCE) flaw due to improper handling of null bytes ('0') in the web interface. This allows attackers to inject arbitrary Lua code into user session files, potentially leading to the execution of arbitrary system commands with FTP service privileges (root or SYSTEM by default). The vulnerability is exploitable even with anonymous FTP accounts. Active exploitation of this vulnerability has been observed in the wild, with attackers attempting to gain system-level access and install malicious software. Approximately 8,103 publicly accessible instances of Wing FTP Server are estimated to be vulnerable, with around 5,004 having a web interface exposed.

**Recommendations:**

Wing FTP Server versions prior to 7.4.4 are vulnerable and should be updated to version 7.4.4 or later immediately.