Attackers Exploit Wing FTP Server Vulnerability for Remote Code Execution
Hackers have begun exploiting a critical vulnerability in Wing FTP Server—tracked as CVE-2025-47812—less than 24 hours after a technical write-up detailing the flaw was published. The vulnerability allows remote, unauthenticated attackers to execute arbitrary code with root or SYSTEM privileges, posing a serious threat to enterprises and SMBs relying on the platform for secure file transfers.
Vulnerability Origin: Null Byte and Lua Code Injection
Discovered by security researcher Julien Ahrens, the flaw is caused by unsafe handling of null-terminated strings in C++ and poor input sanitization in Lua. By injecting a null byte in the username field of a login request, attackers can bypass authentication checks and plant Lua code into session files. These files are then executed by the server, leading to full code execution.
“The flaw is a combination of a null byte and Lua code injection that allows unauthenticated attackers to execute commands as root or SYSTEM,” Ahrens explained in his report.
The researcher published his findings on June 30, alongside three additional vulnerabilities affecting Wing FTP Server versions 7.4.3 and earlier:
- CVE-2025-27889 – Exfiltration of user passwords via a crafted URL.
- CVE-2025-47811 – Server runs with high privileges by default and lacks sandboxing.
- CVE-2025-47813 – Overlong UID cookie reveals sensitive file system paths.
Version 7.4.4, released on May 14, 2025, patches all issues except CVE-2025-47811, which was considered low priority.
Real-World Attacks Begin Within a Day
On July 1, threat researchers at Huntress observed active exploitation of CVE-2025-47812 at a customer site. The attack involved malformed login requests targeting loginok.html, with null-byte-injected usernames that generated malicious .lua session files.
The Lua code injected into the server was designed to hex-decode a payload and execute it using cmd.exe, leveraging certutil to fetch malware from a remote server.
Although the attacker failed to fully compromise the system—possibly due to missteps or interference from Microsoft Defender—Huntress confirmed that exploitation was underway.
“The same instance was hit by five different IP addresses in a short time frame, suggesting mass-scanning or multiple threat actors attempting exploitation,” Huntress noted.
Commands observed during the attack were used to conduct reconnaissance, establish persistence, and exfiltrate data via cURL and webhook endpoints.
Enterprise Risk and Recommendations
Given that Wing FTP Server is widely deployed in enterprise environments, the exposure is significant. Attackers are likely scanning for vulnerable systems across the internet.
While version 7.4.4 addresses the most critical flaws, many organizations may still be running outdated versions. In cases where immediate patching isn’t feasible, Huntress advises the following interim measures:
- Disable or restrict HTTP/HTTPS access to the Wing FTP web portal.
- Disable anonymous login functionality.
- Monitor the session directory for unexpected
.luafiles.
Security teams are strongly urged to upgrade to version 7.4.4 without delay to prevent exploitation and maintain secure file transfer operations.
