Hackers Exploit Critical RCE Vulnerability in Wing FTP Server

📟 News

Date: 17/07/2025

Hackers began exploiting a critical vulnerability in Wing FTP Server just one day after technical details about the issue were published.

The vulnerability has been assigned the identifier CVE-2025-47812 and has received the maximum score of 10 on the CVSS scale. It involves a combination of a null byte and Lua code injection, allowing an unauthenticated attacker to remotely execute code with the highest privileges (root/SYSTEM).

The details of this issue were published by cybersecurity specialist Julien Ahrens on June 30, 2025. The expert explained that the vulnerability is related to the insecure handling of null-terminated strings in C++ and improper input sanitization in Lua.

A researcher has demonstrated that a null byte in the username field allows bypassing authentication and injecting Lua code into session files. When such files are subsequently executed by the server, arbitrary code execution as root/SYSTEM can be achieved.

In addition to CVE-2025-47812, Arens described three more vulnerabilities in Wing FTP Server:

  • CVE-2025-27889 — allows extraction of user passwords via a specially crafted URL if the user fills and submits the login form, due to the inclusion of the password in a JavaScript (location) variable;
  • CVE-2025-47811 — Wing FTP Server runs by default with root/SYSTEM privileges, without sandboxing or privilege reduction, making RCE much more dangerous;
  • CVE-2025-47813 — providing an excessively long UID cookie reveals file system paths.

All vulnerabilities affect Wing FTP Server 7.4.3 and earlier versions. The issues were fixed in version 7.4.4, released on May 14, 2025, with the exception of the CVE-2025-47811 issue, which was deemed insignificant.

Experts from Huntress have developed a PoC exploit for the critical bug CVE-2025-47812 and demonstrated in a video how hackers can use it in attacks.

On July 1st, just a day after the technical details of CVE-2025-47812 were published, specialists from Huntress discovered that at least one attacker had already exploited the vulnerability against a company client.

Attackers sent malicious login requests using usernames with null bytes and targeted loginok.html. These requests created malicious .lua session files, injecting malicious code onto the server. This code was designed to decode the payload and execute it via cmd.exe (using certutil), which resulted in the download and execution of malware.

According to Huntress, Wing FTP Server was attacked from five different IP addresses over a short period of time. This may indicate attempts at mass scanning and exploitation of the vulnerability by multiple hacking groups.

It is noted that the attacks were unsuccessful either because of the attackers’ lack of knowledge or because Microsoft Defender stopped them. However, researchers emphasize that CVE-2025-47812 is clearly under attack and recommend that users update to version 7.4.4 as soon as possible.

Related posts:
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks

Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…

Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains

watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…

Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet

All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…

Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies

GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…

Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud

ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…

Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI

The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…

Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices

The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…

Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails

The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…

Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management

Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…

Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024

According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…

Full article →