Critical Wing FTP Server Vulnerability (CVE-2025-47812) Actively Being Exploited in the Wild
CVE-2025-47812 is a maximum-severity remote code execution vulnerability in Wing FTP Server versions before 7.4.4, allowing unauthenticated attackers to execute arbitrary Lua code via null byte injection—resulting in full system compromise. Actively exploited since early July, this critical flaw underscores the urgent need for patching and monitoring.
Background & Discovery
CVE-2025-47812 surfaced in late June 2025 following public disclosure by researcher Julien Ahrens and RCE Security. It impacts Wing FTP Server versions prior to 7.4.4, offering unauthenticated attackers a path to execute arbitrary system commands by exploiting improper handling of null (\0) bytes in the server’s user and admin web interfaces. This flaw enables insertion of Lua payloads into session files, leading to remote code execution with root or SYSTEM privileges—ultimately resulting in full server compromise.
Active Exploitation & Timeline
Huntress confirmed active exploitation as early as July 1, 2025, just a day after public disclosure. Attack chains included reconnaissance, Lua script deployment, and persistence setup. The Hacker News further highlights malicious attempts involving ScreenConnect installers, enumeration, and user creation—though some were thwarted by defenders like Microsoft Defender.
CISA added this CVE to its Known Exploited Vulnerabilities (KEV) Catalog on July 14, 2025, mandating patching for federal agencies by August 4, 2025.
Technical Details & Attack Mechanics
-
Vulnerability Vector: The authentication logic in
loginok.htmlusesstrlen()for username validation. A%00(null byte) in the username truncates the value—bypassing checks—while the full malicious payload, including Lua code, is stored in the session file. - Payload Execution: A crafted username like
anonymous%00allows Lua code injection into session files. Later page visits (e.g.,dir.html) trigger execution. - System Compatibility: All major OS platforms—Windows, Linux, macOS—are vulnerable.
Scope & Impact
Over 8,000 Wing FTP Server instances are exposed online, with more than 5,000 showing accessible web interfaces across global infrastructures including the U.S., China, UK, Germany, and India.
Organizations such as Airbus, Reuters, and the U.S. Air Force are among those impacted.
EPSS data indicates a ~91% likelihood of exploitation within 30 days.
Mitigation & Response
-
Immediate Action: Upgrade to Wing FTP Server 7.4.4 or higher.
-
5. Mitigation & Response
- Detection: Look for truncated log entries (e.g., missing closing quotes after username), abnormal session file sizes, or unfamiliar
.luafiles. Use logs in directories likeLog\Domains\…and session storage paths.
6. Recommendations
-
Patch promptly: Ensure version 7.4.4 or later is deployed.
-
Enhance logging: Enable detailed monitoring of session file creation and deserialization events.
-
Harden configurations: Disable unnecessary services and anonymous access.
-
Security posture review: Evaluate alerting, incident response workflows, and data backup strategies.
-
Threat intelligence: Track exploitation trends, especially for high-severity CVEs like this one.
Conclusion
CVE-2025-47812 stands out for its critical severity (CVSS 10.0), ease of exploitation, and real-world attacks. With proof-of-concept code public and exploitation detected within hours of disclosure, rapid patching and robust monitoring are imperative.
Action Items:
-
Confirm your Wing FTP Server version—upgrade if needed.
-
Harden access and audit session behaviors.
-
Incorporate CVE-2025-47812 into your vulnerability management and incident response plans.
