Hackers are exploiting critical RCE flaw in Wing FTP Server

Hackers have started to exploit a critical remote code execution vulnerability in Wing FTP Server just one day after technical details on the flaw became public.

The observed attack ran multiple enumeration and reconnaissance commands followed by establishing persistence by creating new users.

The exploited Wing FTP Server vulnerability is tracked as CVE-2025-47812 and received the highest severity score. It is a combination of a null byte and Lua code injection that allows remote a unauthenticated attacker to execute code with the highest privileges on the system (root/SYSTEM).

Wing FTP Server is a powerful solution for managing secure file transfers that can execute Lua scripts, which is widely used in enterprise and SMB environments.

On June 30, security researcher Julien Ahrens published a technical write-up for CVE-2025-47812, explaining that the flaw stems from unsafe handling of null-terminated strings in C++ and improper input sanitization in Lua.

The researcher demonstrated how a null byte in the username field could bypass authentication checks and enable Lua code injection into session files.

When those files are subsequently executed by the server, it is possible to achieve arbitrary code execution as root/SYSTEM.

Along with CVE-2025-47812, the researcher presented another three flaws in Wing FTP:

• CVE-2025-27889 – allows exfiltrating user passwords via a crafted URL if the user submits a login form, due to unsafe inclusion of the password in a JavaScript variable (location)
• CVE-2025-47811 – Wing FTP runs as root/SYSTEM by default, with no sandboxing or privilege drop, making RCEs far more dangerous
• CVE-2025-47813 – supplying an overlong UID cookie reveals file system paths

All the flaws impact Wing FTP versions 7.4.3 and earlier. The vendor fixed the issues by releasing version 7.4.4 on May 14, 2025, except for CVE-2025-47811, which was deemed unimportant.

Threat researchers at managed cybersecurity platform Huntress created a proof-of-concept exploit for CVE-2025-47812 and show in the video below how hackers could leverage it in attacks:

Huntress researchers found that on July 1st, a day after technical details for CVE-2025-47812 appeared, at least one attacker exploited the vulnerability at one of their customers.

The attacker sent malformed login requests with null-byte-injected usernames, targeting ‘loginok.html.’ These inputs created malicious session .lua files that injected Lua code into the server.

The injected code was designed to hex-decode a payload and execute it via cmd.exe, using certutil to download malware from a remote location and execute it.

Huntress says that the same Wing FTP instance was targeted by five distinct IP addresses within a short time frame, potentially indicating mass-scanning and exploitation attempts by several threat actors.

The commands observed in these attempts were for reconnaissance, obtaining persistence in the environment, and data exfiltration using the cURL tool and webhook endpoint.

The hacker failed the attack “maybe due to their unfamiliarity with them, or because Microsoft Defender stopped part of their attack,” Huntress says. Nevertheless, the researchers observed clear exploitation of the critical Wing FTP Server vulnerability.

Even if Huntress observed failed attacks at their customers, hackers are likely to scan for reachable Wing FTP instances and try to take advantage of vulnerable servers.

Companies are strongly advised to upgrade to version 7.4.4 of the product as soon as possible.

If switching to a newer, secure version is not possible, the researchers’ recommendation is to disable or restrict HTTP/HTTPs access to the Wing FTP web portal, disable anonymous logins, and monitor the session directory for suspicious additions.