Wing FTP Server Vulnerability Actively Exploited

Security researchers have confirmed active exploitation of a critical vulnerability in Wing FTP Server, just one day after technical details were publicly disclosed.

The flaw, tracked as CVE-2025-47812, has received the maximum CVSS score of 10.0 and enables unauthenticated remote code execution with root or SYSTEM privileges.

The vulnerability was first disclosed by security researcher Julien Ahrens on June 30, 2025, following a responsible disclosure to Wing FTP that resulted in version 7.4.4 being released on May 14, 2025.

However, exploitation attempts began immediately after the technical write-up became public, with Huntress security researchers observing the first attacks on July 1, 2025.

CVE-2025-47812 stems from improper handling of null bytes in Wing FTP Server’s web interface, specifically in the loginok.html endpoint that processes authentication requests.

The vulnerability combines a null byte injection flaw with Lua code injection, allowing attackers to bypass authentication checks and inject arbitrary commands into server session files.

The attack begins with a malformed HTTP POST request to loginok.html containing a specially crafted username parameter. By inserting a null byte (%00) followed by Lua code, attackers can manipulate the server’s session creation process.

When the server processes these corrupted session files, the injected Lua code executes with elevated privileges, granting attackers complete control over the system.

Security researchers at Huntress created a proof-of-concept exploit demonstrating how the vulnerability can be leveraged to achieve arbitrary code execution as root on Linux systems or SYSTEM on Windows.

The attack is particularly dangerous because it can be executed via anonymous FTP accounts, which are disabled by default but may be enabled in some configurations.

Widespread Internet Exposure

According to data from Censys, approximately 8,103 publicly accessible devices are running Wing FTP Server worldwide, with 5,004 of these systems exposing their web interfaces to the internet.

The Shadowserver Foundation has identified around 2,000 IPs running exposed Wing FTP Server instances, though specific vulnerability checks have not been conducted on all identified systems.

The geographic distribution shows the highest concentrations of potentially vulnerable systems in the United States, China, Germany, the United Kingdom, and India.

Organizations using Wing FTP Server for file transfer operations include major corporations such as Airbus, Reuters, and the U.S. Air Force, indicating the potential for significant impact across critical infrastructure sectors.

Observed Attack Activity

Huntress researchers documented active exploitation beginning July 1, 2025, with threat actors targeting a customer’s Wing FTP Server installation.

The attack involved five distinct IP addresses attempting to compromise the same system within a short timeframe, suggesting coordinated scanning and exploitation efforts.

The observed attack sequence included:

• Initial reconnaissance using commands like ipconfig, arp -a, and nslookup
• System enumeration through whoami, net user, and PowerShell scripts
• Creation of new user accounts for persistence
• Attempts to download and execute remote malware using certutil and curl
• Efforts to install remote access tools, including ScreenConnect

While the specific attack failed, likely due to intervention by Microsoft Defender or attacker inexperience, the incident demonstrates the vulnerability’s active exploitation in the wild.

Wing FTP Server version 7.4.4, released on May 14, 2025, addresses CVE-2025-47812 along with two other security vulnerabilities (CVE-2025-47813 and a path disclosure issue). The vendor has reportedly contacted customers via email with upgrade guidance following the disclosure of active exploitation.

For organizations unable to immediately upgrade, security researchers recommend implementing interim protective measures including:

• Disabling or restricting HTTP/HTTPS access to the Wing FTP web portal
• Disabling anonymous login functionality
• Monitoring session directories for suspicious .lua files
• Implementing network segmentation to limit exposure

The vulnerability affects all major operating systems supported by Wing FTP Server, including Windows, Linux, and macOS. Given the software’s widespread deployment in enterprise environments for secure file transfer operations, the security community has issued urgent recommendations for immediate patching.

Organizations operating Wing FTP Server installations should prioritize upgrading to version 7.4.4 or later, conduct thorough security assessments of their file transfer infrastructure, and implement additional monitoring to detect potential compromise indicators.

The combination of maximum severity rating, active exploitation, and widespread internet exposure makes this vulnerability a significant threat to organizational security posture.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now