Hackers are exploiting a critical RCE Flaw in a popular FTP server — here’s what you need to know
- Hackers launched attacks just one day after the flaw’s full technical write-up was made public
- Many servers stayed vulnerable for weeks despite a fix being released long before the disclosure
- Null byte injection in the username field lets attackers bypass login and run Lua code
Security researchers have confirmed attackers are actively exploiting a critical vulnerability in Wing FTP Server, a widely used solution for managing file transfers.
Researchers at Huntress say the flaw identified as CVE-2025-47812 was disclosed publicly on June 30, and exploitation began almost immediately, just a day later.
This vulnerability allows unauthenticated remote code execution (RCE), enabling attackers to run code as root or SYSTEM on vulnerable servers.
Wing FTP Server remains vulnerable in unpatched systems
Wing FTP Server is deployed across enterprise and SMB environments, and it is used by more than 10,000 organizations globally, including high-profile clients such as Airbus, Reuters, and the US Air Force.
The vulnerability exists in versions 7.4.3 and earlier and has been patched in version 7.4.4, which was released on May 14, 2025.
Despite the fix being available for over a month, many users remained unpatched when technical details were made public.
Security researcher Julien Ahrens, explained the issue stems from improper input sanitization and unsafe handling of null-terminated strings.
The weakness allows a null byte injected in the username field to bypass authentication and insert malicious Lua code into session files.
These files, when deserialized by the server, trigger code execution at the highest system level.
One attacker created malicious session files that used certutil and cmd.exe to fetch and execute remote payloads.
Although the attack was ultimately unsuccessful, thanks in part to Microsoft Defender, researchers noted that the intruders attempted to escalate privileges, perform reconnaissance, and create new users to maintain persistence.
Another attacker reportedly had to look up how to use curl mid-attack, and one even involved a second party during the operation.
This shows the persistence of attackers who are likely scanning for exposed Wing FTP instances, including those running outdated versions.
Even if attackers lacked sophistication, the vulnerability remains highly dangerous.
Researchers recommend upgrading to version 7.4.4 immediately, but where updates aren’t possible, disabling HTTP/S access, removing anonymous login options, and monitoring session file directories are essential mitigation steps.
Three additional vulnerabilities were reported: one enabling password exfiltration through JavaScript, another exposing system paths via an overlong cookie, and a third highlighting the server’s lack of sandboxing.
While these pose serious risks, CVE-2025-47812 has received the highest severity rating due to its potential for complete system compromise.
Via The Register and BleepingComputer
You might also like
Hackers launched attacks just one day after the flaw’s full technical write-up was made public Many servers stayed vulnerable for weeks despite a fix being released long before the disclosure Null byte injection in the username field lets attackers bypass login and run Lua code Security researchers have confirmed attackers…
