“`html
Security analysts have verified the ongoing exploitation of a critical weakness in Wing FTP Server, only one day after the technical specifics were made public.
This defect, noted as CVE-2025-47812, has attained the highest CVSS rating of 10.0 and facilitates unauthenticated remote code execution with root or SYSTEM permissions.
The flaw was initially revealed by security expert Julien Ahrens on June 30, 2025, after a responsible disclosure to Wing FTP that led to the release of version 7.4.4 on May 14, 2025.
Nevertheless, attempts to exploit the vulnerability commenced right after the technical documentation was released, with Huntress security analysts recording the first attacks on July 1, 2025.
CVE-2025-47812 arises from the improper management of null bytes in the web interface of Wing FTP Server, particularly within the loginok.html endpoint that handles authentication requests.
This vulnerability merges a null byte injection issue with Lua code injection, enabling attackers to circumvent authentication checks and inject arbitrary commands into server session files.
The attack initiates with a malformed HTTP POST request directed at loginok.html containing a specifically crafted username parameter. By injecting a null byte (%00) followed by Lua code, attackers can manipulate the session creation process of the server.
Once the server processes these corrupted session files, the inserted Lua code executes with elevated privileges, allowing attackers to gain total control over the system.
Security analysts at Huntress developed a proof-of-concept exploit illustrating how the vulnerability can be exploited to achieve arbitrary code execution with root privileges on Linux systems or SYSTEM on Windows.
The attack is especially perilous as it can be carried out through anonymous FTP accounts, which are turned off by default but may be activated in certain configurations.
Extensive Internet Exposure
Data from Censys reveals that around 8,103 publicly accessible devices globally are operating Wing FTP Server, with 5,004 of these systems exposing their web interfaces to the internet.
The Shadowserver Foundation has pinpointed approximately 2,000 IPs running exposed Wing FTP Server instances, although specific vulnerability assessments have not been carried out on all identified systems.
The geographical distribution indicates the highest concentrations of potentially vulnerable systems in the United States, China, Germany, the United Kingdom, and India.
Entities utilizing Wing FTP Server for file transfer activities consist of major companies such as Airbus, Reuters, and the U.S. Air Force, signifying the potential for considerable impact across critical infrastructure sectors.
Documented Attack Activity
Huntress researchers recorded active exploitation starting July 1, 2025, with threat actors aiming at a client’s Wing FTP Server installation.
The attack entailed five separate IP addresses attempting to compromise the same system within a brief period, implying coordinated scanning and exploitation endeavours.
The observed attack series consisted of:
- Initial reconnaissance using commands like
ipconfig,arp -a, andnslookup - System enumeration through
whoami,net user, and PowerShell scripts - Establishment of new user accounts for persistence
- Attempts to download and execute remote malware using
certutilandcurl - Efforts to install remote access tools, including ScreenConnect
Although the specific attack faltered, likely due to intervention by Microsoft Defender or inexperience on the part of the attacker, the incident illustrates the active exploitation of the vulnerability in the real world.
Wing FTP Server version 7.4.4, released on May 14, 2025, addresses CVE-2025-47812 along with two additional security vulnerabilities (CVE-2025-47813 and a path disclosure issue). The vendor has reportedly contacted clients via email with upgrade instructions following the announcement of active exploitation.
For organizations unable to upgrade immediately, security analysts recommend adopting interim protective measures including:
- Disabling or limiting HTTP/HTTPS access to the Wing FTP web portal
- Turning off anonymous login capabilities
- Monitoring session directories for suspicious
.luafiles - Implementing network segmentation to mitigate exposure
The vulnerability impacts all principal operating systems supported by Wing FTP Server, including Windows, Linux, and macOS. Given the software’s extensive deployment in enterprise environments for secure file transfer operations, the security community has issued urgent recommendations for prompt patching.
Organizations running Wing FTP Server installations should emphasize upgrading to version 7.4.4 or later, conduct exhaustive security evaluations of their file transfer infrastructure, and implement additional monitoring to identify potential compromise indicators.
The combination of maximum severity rating, ongoing exploitation, and extensive internet exposure positions this vulnerability as a substantial threat to organizational security posture.
The post Wing FTP Server Vulnerability Actively Exploited – 2000+ Servers Exposed Online appeared first on Cyber Security News.
“`