Wing FTP Server Flaw Actively Exploited Shortly After Technical Details Were Made Public
A critical flaw in Wing FTP Server, tracked as CVE-2025-47812 (CVSS score of 10), has been actively exploited by threat actors just days after the technical details were made public. This vulnerability allows remote code execution with root/system privileges, putting at risk users who rely on the secure and flexible file transfer solution.
Wing FTP Server is a widely used solution that supports multiple protocols, including FTP, FTPS, SFTP, and HTTP/S. It runs on Windows, Linux, and macOS, and provides a user-friendly web interface for both administrators and users. However, this has not protected it from the recently discovered vulnerability.
The vulnerability CVE-2025-47812 is caused by improper handling of null bytes in Wing FTP Server before version 7.4.4. An attacker can inject malicious Lua code into session files, leading to remote command execution with root or system privileges. This allows threat actors to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default).
"In Wing FTP Server before 7.4.4, the user and admin web interfaces mishandle ‘\0’ bytes, ultimately allowing injection of arbitrary Lua code into user session files," reads the advisory published by MITRE. "This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default)." This is a remote code execution vulnerability that guarantees a total server compromise.
This happens because the SessionModule.lua script loads and runs session files without proper validation. If an attacker can manipulate a session file, whose name is tied to a cookie (UID), they can trigger code execution by performing any authenticated action on the server, such as listing directory contents via the web interface.
Critically, the server executes this code with full system-level privileges: on Linux as root, and on Windows as NT AUTHORITY/SYSTEM. This is because Wing FTP Server runs by default with elevated privileges and lacks protections like privilege dropping, sandboxing, or jailing. Although authentication is required to reach this point, even an anonymous FTP account (if enabled) can be used to exploit the flaw.
This vulnerability essentially enables an attacker to escalate from basic user access, anonymous or authenticated, to full remote code execution with administrative rights on both Linux and Windows systems.
Exploit Attempts Began Shortly After Technical Details Were Published
On June 30, researchers published technical details of the vulnerability, and exploit attempts began shortly after. Huntress researchers confirmed that threat actors had already started exploiting the flaw as early as July 1, 2025.
Proof-of-Concept Exploit Code Available
Arctic Wolf researchers warn that the availability of a proof-of-concept exploit code for this vulnerability will trigger future exploitation attempts shortly. The flaw allows threat actors to inject arbitrary Lua code into the application, which is executed upon visiting specific pages.
"In observed cases of exploitation, threat actors attempted to download and execute malicious files, perform reconnaissance, and install remote monitoring and management software," reads the analysis published by Artic Wolf. "Arctic Wolf has observed similar activity previously where newly disclosed vulnerabilities were exploited on edge devices to steal sensitive data and potentially deploy ransomware in the aftermath."
Users Urged to Update to Server Version 7.4.4 or Later
Arctic Wolf urges users to update to server version 7.4.4 or later, as all versions before 7.4.4 are affected by the critical vulnerability.
"Threat actors exploiting this vulnerability must authenticate using either known credentials or the anonymous account, which requires no password but is disabled by default," reads the analysis published by Artic Wolf. "When exploiting the vulnerability, a special set of characters is inserted into the username, bypassing string processing during login."