Wing FTP Server Vulnerability: Critical RCE Flaw Exploited in the Wild

TL;DR

A critical flaw in Wing FTP Server (CVE-2025-47812) allows remote code execution with root/system privileges. Threat actors began exploiting this vulnerability shortly after its details were published, highlighting the need for immediate updates to mitigate risks.

Critical Wing FTP Server Vulnerability Actively Exploited

Cybersecurity experts have identified a critical vulnerability in Wing FTP Server, tracked as CVE-2025-47812, which enables remote code execution with root or system privileges. This flaw, with a CVSS score of 10, poses a significant risk to organizations using the affected software.

Understanding Wing FTP Server

Wing FTP Server is a versatile file transfer solution supporting multiple protocols, including FTP, FTPS, SFTP, and HTTP/S. It is compatible with Windows, Linux, and macOS, featuring a user-friendly web interface for both administrators and end-users.

Vulnerability Overview

The vulnerability CVE-2025-47812 arises due to improper handling of null bytes, allowing attackers to inject malicious Lua code into session files. This injection leads to remote command execution with elevated privileges ¹.

“In Wing FTP Server before 7.4.4, the user and admin web interfaces mishandle ‘\0’ bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default).” - MITRE Advisory

Exploitation Details

The SessionModule.lua script in Wing FTP Server loads and runs session files without proper validation. Attackers can manipulate session files, linked to a cookie (UID), to trigger code execution by performing authenticated actions on the server, such as listing directory contents via the web interface.

Impact and Risk

This vulnerability executes code with full system-level privileges:

• On Linux as root
• On Windows as NT AUTHORITY/SYSTEM

Wing FTP Server runs with elevated privileges by default, lacking protections like privilege dropping, sandboxing, or jailing. Even anonymous FTP accounts, if enabled, can exploit this flaw, allowing attackers to escalate from basic user access to full administrative control on both Linux and Windows systems.

Timeline of Exploitation

• June 30, 2025: Technical details of the vulnerability published.
• July 1, 2025: First observed exploitation attempts by threat actors.
• July 10, 2025: Huntress researchers confirmed active exploitation, warning of future attacks due to available proof-of-concept exploit code ².

“Threat actors exploiting this vulnerability must authenticate using either known credentials or the anonymous account, which requires no password but is disabled by default. When exploiting the vulnerability, a special set of characters is inserted into the username, bypassing string processing during login. This flaw allows threat actors to inject arbitrary Lua code into the application, which is executed upon visiting specific pages.” - Arctic Wolf Analysis

Mitigation Steps

Users are strongly advised to update to Wing FTP Server version 7.4.4 or later, as all previous versions are affected by this critical vulnerability ³.

Additional Resources

For further insights, check:

• MITRE CVE-2025-47812 Advisory
• Huntress Technical Analysis
• Arctic Wolf Blog

References

---

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini (LinkedIn)

SecurityAffairs – hacking, CVE-2025-47812

1. MITRE (2025). “CVE-2025-47812 Advisory”. MITRE. Retrieved 2025-07-13. ↩︎

2. Huntress (2025). “Wing FTP Server Remote Code Execution (CVE-2025-47812) Exploited in Wild”. Huntress. Retrieved 2025-07-13. ↩︎

3. Arctic Wolf (2025). “CVE-2025-47812: Wing FTP Server RCE Vulnerability”. Arctic Wolf. Retrieved 2025-07-13. ↩︎