Active Exploits Target Critical Wing FTP Server Flaw (CVE-2025-47812)
▼ Summary
– Threat actors are exploiting CVE-2025-47812, a remote code execution vulnerability in Wing FTP Server, which allows arbitrary Lua code injection via mishandled null bytes in web interfaces.
– Wing FTP Server is a commercial file transfer solution used across Windows, Linux, and macOS, with administration and file transfers handled via a web interface.
– The vulnerability, fixed in version 7.4.4 (released May 14, 2025), was discovered by Julien Ahrens, who also disclosed two other flaws (CVE-2025-47811, CVE-2025-47813) with PoC exploits.
– Attackers began exploiting CVE-2025-47812 by July 1, 2025, attempting reconnaissance, persistence, and malware deployment, though their efforts were hindered by Microsoft Defender.
– Over 8,100 Wing FTP Servers were detected online, with ~5,000 exposed web interfaces vulnerable to exploitation via malicious POST requests.
Security teams are scrambling to patch vulnerable Wing FTP Server installations after confirmed attacks exploiting a critical remote code execution flaw (CVE-2025-47812). The vulnerability allows unauthenticated attackers to execute arbitrary system commands with elevated privileges, putting thousands of exposed servers at risk of complete compromise.
Wing FTP Server, a popular commercial file transfer solution used across industries, contains a dangerous flaw in how its web interfaces process null bytes. This oversight enables Lua code injection into session files, effectively giving attackers full control over affected systems. The vulnerability affects all major platforms including Windows, Linux, and macOS deployments.
Researchers first spotted active exploitation just one day after public disclosure, with multiple threat actors attempting to establish persistence through new user creation and malicious payload deployment. While initial attacks appeared amateurish, with Microsoft Defender successfully blocking some attempts, the rapid weaponization demonstrates the flaw’s serious potential. Security firm Huntress confirmed at least one successful breach attempt before mitigation.
The vulnerability stems from improper input validation in Wing FTP’s administrative and user web interfaces. Attackers can trigger the exploit through malicious POST requests, making exposed web interfaces particularly vulnerable. What makes this flaw especially dangerous is its exploitability via anonymous FTP accounts, lowering the barrier for widespread attacks.
Patched in version 7.4.4 released May 14, the fix came after researcher Julien Ahrens responsibly disclosed the issue. His subsequent technical analysis revealed two additional vulnerabilities (CVE-2025-47811 and CVE-2025-47813), though only CVE-2025-47812 appears actively exploited currently. Internet scans show approximately 8,100 Wing FTP Server instances online, with 5,000 exposing their web interfaces to potential attacks.
Security teams should prioritize updating to version 7.4.4 immediately. Organizations unable to patch should consider restricting web interface access and monitoring for suspicious activity patterns including unexpected user creation attempts or Lua script execution. The vulnerability chain becomes particularly dangerous when combined with CVE-2025-27889, a separate information disclosure flaw that could provide attackers with cleartext credentials.
Ongoing monitoring reveals attackers are testing various payload delivery methods, including attempts to install remote management tools like ScreenConnect. While current attacks show limited sophistication, the vulnerability’s ease of exploitation suggests more advanced threat actors may soon weaponize it. Network defenders should assume all unpatched Wing FTP Servers are actively being probed for this vulnerability.
(Source: HelpNet Security)
