U.S. CISA Adds Wing FTP Server Flaw to its Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Wing FTP Server, tracked as CVE-2025-47812, to its Known Exploited Vulnerabilities (KEV) catalog. This move is aimed at alerting organizations and individuals to the potential risks associated with this vulnerability, which can be exploited by malicious actors to gain remote command execution on systems running Windows or Linux.
Wing FTP Server is a secure and flexible file transfer solution that supports multiple protocols, including FTP, FTPS, SFTP, and HTTP/S. It runs on Windows, Linux, and macOS, and provides a user-friendly web interface for both administrators and users. However, the latest vulnerability discovered by researchers reveals that Wing FTP Server's handling of null bytes is improper, making it vulnerable to remote code execution attacks.
The Vulnerability: A Critical Flaw in Wing FTP Server
The CVE-2025-47812 vulnerability occurs due to the SessionModule.lua script loading and running session files without proper validation. This allows attackers to manipulate session files, tied to a cookie (UID), by performing any authenticated action on the server, such as listing directory contents via the web interface. The server executes this code with full system-level privileges: on Linux as root, and on Windows as NT AUTHORITY/SYSTEM.
Although authentication is required to reach this point, even an anonymous FTP account (if enabled) can be used to exploit the flaw. This vulnerability enables attackers to escalate from basic user access, whether anonymous or authenticated, to full remote code execution with administrative rights on both Linux and Windows systems.
The Impact of Exploitation
Exploit attempts began after researchers published technical details on the vulnerabilities on June 30. On July 10, 2025, Huntress researchers confirmed that this vulnerability had been actively exploited by threat actors as early as July 1, 2025.
The availability of a proof-of-concept exploit code for this vulnerability will trigger future exploitation attempts shortly. According to Arctic Wolf researchers, threat actors exploiting this vulnerability must authenticate using either known credentials or the anonymous account, which requires no password but is disabled by default. When exploiting the vulnerability, a special set of characters is inserted into the username, bypassing string processing during login.
Prevention and Mitigation
Arctic Wolf urges users to update to server version 7.4.4 or later, as all versions before 7.4.4 are affected by the critical vulnerability. CISA orders federal agencies to fix the vulnerabilities by August 04, 2025.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure. Following these guidelines will help minimize the risk of attacks exploiting this flaw in the catalog. Users should ensure they are up-to-date with the latest security patches and consider implementing additional security measures to protect themselves against potential exploitation attempts.
Conclusion
The addition of Wing FTP Server's CVE-2025-47812 vulnerability to CISA's KEV catalog serves as a reminder of the importance of regular security updates and monitoring for known exploited vulnerabilities. Organizations must take proactive steps to address these risks, ensuring their systems remain secure against potential threats.