A critical remote code execution (RCE) vulnerability, identified as CVE-2025-47812, in Wing FTP Server is currently being exploited by threat actors. This flaw, deemed to have the highest severity, allows unauthenticated attackers to execute arbitrary code with root or SYSTEM privileges. The exploitation began just one day after security researcher Julien Ahrens publicly disclosed technical details of the vulnerability, which stems from a combination of null byte and Lua code injection. Wing FTP Server, widely used in enterprise and SMB environments for secure file transfers, is particularly susceptible due to its ability to execute Lua scripts.
The core of CVE-2025-47812 lies in the unsafe handling of null-terminated strings in C++ and improper input sanitization in Lua within Wing FTP Server. Julien Ahrens demonstrated that by inserting a null byte into the username field during a login attempt, an attacker can bypass authentication checks. This bypass then enables the injection of malicious Lua code directly into session files. When the Wing FTP Server subsequently executes these compromised session files, the injected code is run with the highest system privileges, leading to arbitrary code execution.
Beyond CVE-2025-47812, Ahrens also detailed three other vulnerabilities affecting Wing FTP Server.
These include CVE-2025-27889, which allows for the exfiltration of user passwords; CVE-2025-47811, highlighting the danger of the server running as root/SYSTEM without sandboxing; and CVE-2025-47813, which can reveal file system paths through an overlong UID cookie. All these flaws impact Wing FTP versions 7.4.3 and earlier. While the vendor released version 7.4.4 on May 14, 2025, to patch these issues, CVE-2025-47811 was not considered critical enough for a fix.
Evidence of active exploitation surfaced on July 1st, when threat researchers at Huntress observed an attack against one of their customers, just a day after the vulnerability’s technical details became public. The attacker leveraged the CVE-2025-47812 vulnerability by sending malformed login requests with null-byte-injected usernames, targeting ‘loginok.html’. This technique successfully created malicious session .lua files that injected Lua code into the server, designed to download and execute malware from a remote location using certutil via cmd.exe.
Huntress noted that five distinct IP addresses targeted the same Wing FTP instance within a short timeframe, suggesting widespread scanning and exploitation attempts by multiple threat actors.
The observed commands focused on reconnaissance, establishing persistence, and data exfiltration using cURL and webhook endpoints. Although the attacks observed by Huntress failed, likely due to attacker unfamiliarity or intervention from Microsoft Defender, the clear attempts at exploiting this critical vulnerability underscore the immediate threat. Organizations using Wing FTP Server are strongly urged to upgrade to version 7.4.4 immediately or, if an upgrade is not feasible, to implement mitigation measures such as disabling or restricting HTTP/HTTPS access to the web portal, disabling anonymous logins, and actively monitoring the session directory for suspicious activity.
Reference:
