Hackers Exploit Critical RCE Vulnerability in Wing FTP Server

Attackers began exploiting a critical vulnerability in Wing FTP Server just one day after technical details about the flaw were made public.

The vulnerability, tracked as CVE-2025-47812, received the maximum CVSS severity score of 10.0. It stems from a combination of a null byte injection and Lua code execution, allowing unauthenticated attackers to execute arbitrary code with root or SYSTEM privileges.

Cybersecurity expert Julien Ahrens publicly disclosed the issue on June 30, 2025. According to Ahrens, the vulnerability arises from unsafe handling of null-terminated strings in C++ and inadequate input sanitization in Lua.

In a proof-of-concept demonstration, Ahrens showed how a null byte inserted into the username field could bypass authentication and inject Lua code into session files. When these files are later processed by the server, the injected code is executed with the highest level of privilege.

In addition to CVE-2025-47812, Ahrens identified three other security issues affecting Wing FTP Server:

• CVE-2025-27889 – Exposes user passwords in a JavaScript variable (location) via a crafted URL when a victim submits a login form.
• CVE-2025-47811 – The server runs as root/SYSTEM by default, without sandboxing or privilege separation, increasing the severity of RCE exploits.
• CVE-2025-47813 – An overly long UID cookie can leak filesystem paths.

All vulnerabilities affect Wing FTP Server versions 7.4.3 and earlier. Most were patched in version 7.4.4, released on May 14, 2025. However, CVE-2025-47811 was classified as non-critical and remains unaddressed.

Security researchers at Huntress developed a working proof-of-concept exploit for CVE-2025-47812 and published a demonstration video showing how the vulnerability could be weaponized.

On July 1, just one day after the technical write-up was released, Huntress observed active exploitation against one of its clients. Attackers sent malicious login requests containing null bytes in the username field, targeting loginok.html. These requests generated rogue .lua session files, injecting Lua code that decrypted and executed a payload via cmd.exe using certutil, ultimately leading to malware download and execution.

According to Huntress, Wing FTP Server was targeted from five different IP addresses in rapid succession—indicating mass scanning and exploitation attempts by multiple threat actors.

While the observed attacks ultimately failed—either due to attacker missteps or effective blocking by Microsoft Defender—researchers warn that CVE-2025-47812 is under active exploitation. Users are strongly urged to upgrade to version 7.4.4 immediately.