Critical RCE Flaw in Wing FTP Server Actively Exploited by Hackers
▼ Summary
– Hackers began exploiting a critical Wing FTP Server vulnerability (CVE-2025-47812) one day after its technical details were published, allowing unauthenticated remote code execution with root/SYSTEM privileges.
– The flaw combines a null byte bypass and Lua code injection, stemming from unsafe string handling in C++ and improper input sanitization in Lua scripts.
– Three additional vulnerabilities were disclosed alongside CVE-2025-47812, including password exfiltration (CVE-2025-27889) and path disclosure (CVE-2025-47813), all fixed in Wing FTP version 7.4.4 except for CVE-2025-47811.
– Attackers exploited the flaw by injecting null-byte usernames to create malicious Lua session files, executing payloads via cmd.exe to download malware, though some attempts were thwarted by Microsoft Defender.
– Organizations are urged to upgrade to Wing FTP 7.4.4 or restrict HTTP/HTTPS access, disable anonymous logins, and monitor session directories for suspicious activity.
A critical remote code execution vulnerability in Wing FTP Server is now being actively exploited by hackers, posing severe risks to organizations using this popular file transfer solution. The flaw, identified as CVE-2025-47812, allows attackers to execute arbitrary code with the highest system privileges without authentication. Security experts warn that exploitation attempts began just 24 hours after technical details became public.
The vulnerability stems from improper handling of null-terminated strings in C++ and insufficient input sanitization in Lua scripts. Attackers can inject malicious code through the username field during login, bypassing authentication checks. When the server processes session files containing this code, it executes commands with root or SYSTEM privileges, giving hackers full control over the system.
Alongside this critical flaw, researchers uncovered three additional vulnerabilities in Wing FTP Server:
- CVE-2025-27889: Exposes user passwords through crafted URLs due to unsafe JavaScript variable handling.
- CVE-2025-47811: The server runs with elevated privileges by default, amplifying the impact of any remote code execution.
- CVE-2025-47813: Reveals sensitive file system paths when an overly long UID cookie is supplied.
These vulnerabilities affect Wing FTP Server versions 7.4.3 and earlier. The vendor addressed most issues in version 7.4.4, released in May 2025, though CVE-2025-47811 remains unpatched, leaving systems at continued risk.
Security firm Huntress documented real-world exploitation attempts shortly after the vulnerability details were published. Attackers sent manipulated login requests containing null-byte injections, creating malicious Lua session files. These files then downloaded and executed malware via certutil, a common tactic in cyberattacks.
Huntress observed multiple IP addresses targeting the same server, suggesting widespread scanning and exploitation efforts. While some attacks failed, possibly due to security software interference, the attempts highlight the urgency of applying patches.
Organizations using Wing FTP Server should immediately upgrade to version 7.4.4 to mitigate these risks. If patching isn’t feasible, experts recommend:
- Restricting HTTP/HTTPS access to the web portal.
- Disabling anonymous logins.
- Monitoring session directories for suspicious activity.
With attackers actively scanning for vulnerable servers, delaying updates could lead to devastating breaches. Proactive measures are essential to prevent unauthorized access and data theft.
(Source: BLEEPINGCOMPUTER)
