Hackers have begun exploiting a severe remote code execution (RCE) vulnerability in Wing FTP Server (CVE-2025-47812) just a day after its technical details were made public by security researcher Julien Ahrens.
The vulnerability, rated with the highest severity score, combines a null byte injection and Lua code injection, allowing unauthenticated attackers to execute code with root or SYSTEM privileges. It affects Wing FTP versions 7.4.3 and earlier.
Wing FTP Server, commonly used for secure file transfers in enterprises and SMBs, supports Lua scripting, which makes this attack especially dangerous. The flaw stems from improper handling of null-terminated strings in C++ and poor input sanitization in Lua, which allows attackers to inject malicious code via a specially crafted username field.
Once injected, the malicious Lua code is executed by the server, giving attackers full control over the system. Huntress, a cybersecurity firm, confirmed active exploitation attempts beginning July 1, with attackers using certutil to download malware and cURL for data exfiltration.
Ahrens also disclosed three additional vulnerabilities:
- CVE-2025-27889 – Password leakage through JavaScript variable.
- CVE-2025-47811 – Wing FTP runs as root/SYSTEM by default.
- CVE-2025-47813 – An overly long UID cookie reveals file system paths.
All but one of these were fixed in Wing FTP version 7.4.4, released on May 14, 2025. CVE-2025-47811 was deemed low-risk and remains unpatched.
Security Recommendations:
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
- Immediately update to Wing FTP Server 7.4.4.
- If unable to update, disable HTTP/HTTPS access to the web portal.
- Turn off anonymous logins.
- Monitor the session directory for suspicious
.luafiles.
With exploitation already underway, administrators should take urgent action to secure exposed systems.
