Hackers began exploiting a critical vulnerability in Wing FTP Server just one day after technical details about the issue were published.
The vulnerability has been assigned the identifier CVE-2025-47812 and has received the maximum score of 10 on the CVSS scale. It involves a combination of a null byte and Lua code injection, allowing an unauthenticated attacker to remotely execute code with the highest privileges (root/SYSTEM).
The details of this issue were published by cybersecurity specialist Julien Ahrens on June 30, 2025. The expert explained that the vulnerability is related to the insecure handling of null-terminated strings in C++ and improper input sanitization in Lua.
A researcher has demonstrated that a null byte in the username field allows bypassing authentication and injecting Lua code into session files. When such files are subsequently executed by the server, arbitrary code execution as root/SYSTEM can be achieved.
In addition to CVE-2025-47812, Arens described three more vulnerabilities in Wing FTP Server:
- CVE-2025-27889 — allows extraction of user passwords via a specially crafted URL if the user fills and submits the login form, due to the inclusion of the password in a JavaScript (location) variable;
- CVE-2025-47811 — Wing FTP Server runs by default with root/SYSTEM privileges, without sandboxing or privilege reduction, making RCE much more dangerous;
- CVE-2025-47813 — providing an excessively long UID cookie reveals file system paths.
All vulnerabilities affect Wing FTP Server 7.4.3 and earlier versions. The issues were fixed in version 7.4.4, released on May 14, 2025, with the exception of the CVE-2025-47811 issue, which was deemed insignificant.
Experts from Huntress have developed a PoC exploit for the critical bug CVE-2025-47812 and demonstrated in a video how hackers can use it in attacks.
On July 1st, just a day after the technical details of CVE-2025-47812 were published, specialists from Huntress discovered that at least one attacker had already exploited the vulnerability against a company client.
Attackers sent malicious login requests using usernames with null bytes and targeted loginok.html. These requests created malicious .lua session files, injecting malicious code onto the server. This code was designed to decode the payload and execute it via cmd.exe (using certutil), which resulted in the download and execution of malware.
According to Huntress, Wing FTP Server was attacked from five different IP addresses over a short period of time. This may indicate attempts at mass scanning and exploitation of the vulnerability by multiple hacking groups.
It is noted that the attacks were unsuccessful either because of the attackers’ lack of knowledge or because Microsoft Defender stopped them. However, researchers emphasize that CVE-2025-47812 is clearly under attack and recommend that users update to version 7.4.4 as soon as possible.