Hackers began exploiting a critical vulnerability in Wing FTP Server just one day after technical details about the issue were published.
The vulnerability has been assigned the identifier CVE-2025-47812 and has received the maximum score of 10 on the CVSS scale. It involves a combination of a null byte and Lua code injection, allowing an unauthenticated attacker to remotely execute code with the highest privileges (root/SYSTEM).
The details of this issue were published by cybersecurity specialist Julien Ahrens on June 30, 2025. The expert explained that the vulnerability is related to the insecure handling of null-terminated strings in C++ and improper input sanitization in Lua.
A researcher has demonstrated that a null byte in the username field allows bypassing authentication and injecting Lua code into session files. When such files are subsequently executed by the server, arbitrary code execution as root/SYSTEM can be achieved.
In addition to CVE-2025-47812, Arens described three more vulnerabilities in Wing FTP Server:
- CVE-2025-27889 — allows extraction of user passwords via a specially crafted URL if the user fills and submits the login form, due to the inclusion of the password in a JavaScript (location) variable;
- CVE-2025-47811 — Wing FTP Server runs by default with root/SYSTEM privileges, without sandboxing or privilege reduction, making RCE much more dangerous;
- CVE-2025-47813 — providing an excessively long UID cookie reveals file system paths.
All vulnerabilities affect Wing FTP Server 7.4.3 and earlier versions. The issues were fixed in version 7.4.4, released on May 14, 2025, with the exception of the CVE-2025-47811 issue, which was deemed insignificant.
Experts from Huntress have developed a PoC exploit for the critical bug CVE-2025-47812 and demonstrated in a video how hackers can use it in attacks.
On July 1st, just a day after the technical details of CVE-2025-47812 were published, specialists from Huntress discovered that at least one attacker had already exploited the vulnerability against a company client.
Attackers sent malicious login requests using usernames with null bytes and targeted loginok.html. These requests created malicious .lua session files, injecting malicious code onto the server. This code was designed to decode the payload and execute it via cmd.exe (using certutil), which resulted in the download and execution of malware.
According to Huntress, Wing FTP Server was attacked from five different IP addresses over a short period of time. This may indicate attempts at mass scanning and exploitation of the vulnerability by multiple hacking groups.
It is noted that the attacks were unsuccessful either because of the attackers’ lack of knowledge or because Microsoft Defender stopped them. However, researchers emphasize that CVE-2025-47812 is clearly under attack and recommend that users update to version 7.4.4 as soon as possible.
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →