Critical Wing FTP Server Vulnerability Added to CISA's Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a significant Wing FTP Server flaw to its Known Exploited Vulnerabilities catalog. This vulnerability, CVE-2025-47812, allows remote code execution with elevated privileges. Learn more about the implications and necessary actions.
TL;DR
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a severe vulnerability in Wing FTP Server, tracked as CVE-2025-47812, to its Known Exploited Vulnerabilities catalog. This flaw allows remote code execution with elevated privileges, posing a significant risk to affected systems. Users are urged to update to the latest version to mitigate this threat.
CISA Adds Wing FTP Server Flaw to Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included a critical Wing FTP Server vulnerability, identified as CVE-2025-47812, in its Known Exploited Vulnerabilities (KEV) catalog. This addition highlights the urgent need for users to address this security flaw to protect their systems from potential exploitation.
Understanding the Vulnerability
Wing FTP Server is a versatile file transfer solution supporting multiple protocols such as FTP, FTPS, SFTP, and HTTP/S. It operates on Windows, Linux, and macOS, featuring a user-friendly web interface for both administrators and users.
The vulnerability, CVE-2025-47812, arises from the improper handling of null bytes, enabling attackers to inject malicious Lua code into session files. This injection can lead to remote command execution with root or system privileges, effectively compromising the entire server.
Technical Details
The flaw is described in the MITRE advisory:
“In Wing FTP Server before 7.4.4, the user and admin web interfaces mishandle ‘\0’ bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default).”
The SessionModule.lua script loads and runs session files without proper validation. By manipulating a session file tied to a cookie (UID), attackers can trigger code execution through authenticated actions like listing directory contents via the web interface. This code execution occurs with full system-level privileges, making the server highly vulnerable.
Exploitation and Impact
Although authentication is required, even anonymous FTP accounts can exploit this vulnerability if enabled. This flaw allows attackers to escalate from basic user access to full remote code execution with administrative rights on both Linux and Windows systems.
Exploitation attempts began shortly after researchers published technical details on June 30, 2025. On July 10, 2025, Huntress researchers confirmed active exploitation by threat actors. Arctic Wolf researchers warn that the availability of proof-of-concept exploit code will likely lead to further exploitation attempts.
Mitigation and Recommendations
CISA has set a deadline of August 4, 2025, for federal agencies to address this vulnerability. Private organizations are also advised to review the CISA Catalog and take necessary actions to secure their infrastructure.
Users are strongly recommended to update to Wing FTP Server version 7.4.4 or later, as all previous versions are affected by this critical vulnerability.
Conclusion
The addition of CVE-2025-47812 to CISA’s Known Exploited Vulnerabilities catalog underscores the severity of this Wing FTP Server flaw. Organizations must prioritize updating their systems to mitigate the risk of exploitation and protect against potential cyber threats. For further insights, check the CISA alert and the Huntress analysis.