Ethical Hacking News
Hackers are exploiting a critical RCE flaw in Wing FTP Server, which can lead to arbitrary code execution and other serious security issues. Companies relying on this software must take immediate action to secure their systems and prevent potential attacks.
Hackers are exploiting a critical remote code execution (RCE) vulnerability in Wing FTP Server, CVE-2025-47812, just one day after technical details on the flaw became public. The exploited vulnerability allows remote, unauthenticated attackers to execute code with the highest privileges on the system (root/SYSTEM). There are three additional vulnerabilities in Wing FTP: CVE-2025-27889, CVE-2025-47811, and CVE-2025-47813. All three flaws impact Wing FTP versions 7.4.3 and earlier. The vendor released version 7.4.4 to fix the issues except for CVE-2025-47811, which was deemed unimportant. At least one attacker exploited the vulnerability within a day of technical details being made public, and multiple attack attempts were observed. Cospanies are strongly advised to upgrade to version 7.4.4 as soon as possible or implement proper security measures to mitigate the risks associated with this vulnerability.
Hackers are exploiting a critical remote code execution (RCE) vulnerability in Wing FTP Server, just one day after technical details on the flaw became public. The observed attack ran multiple enumeration and reconnaissance commands followed by establishing persistence by creating new users.
The exploited Wing FTP Server vulnerability is tracked as CVE-2025-47812 and received the highest severity score. It is a combination of a null byte and Lua code injection that allows remote, unauthenticated attackers to execute code with the highest privileges on the system (root/SYSTEM). Wing FTP Server is a powerful solution for managing secure file transfers that can execute Lua scripts, which are widely used in enterprise and Small and Medium Business (SMB) environments.
On June 30, security researcher Julien Ahrens published a technical write-up for CVE-2025-47812, explaining that the flaw stems from unsafe handling of null-terminated strings in C++ and improper input sanitization in Lua. The researcher demonstrated how a null byte in the username field could bypass authentication checks and enable Lua code injection into session files.
When those files are subsequently executed by the server, it is possible to achieve arbitrary code execution as root/SYSTEM. Along with CVE-2025-47812, the researcher presented another three flaws in Wing FTP:
1. CVE-2025-27889 – allows exfiltrating user passwords via a crafted URL if the user submits a login form, due to unsafe inclusion of the password in a JavaScript variable (location).
2. CVE-2025-47811 – Wing FTP runs as root/SYSTEM by default, with no sandboxing or privilege drop, making RCEs far more dangerous.
3. CVE-2025-47813 – supplying an overlong UID cookie reveals file system paths.
All the flaws impact Wing FTP versions 7.4.3 and earlier. The vendor fixed the issues by releasing version 7.4.4 on May 14, 2025, except for CVE-2025-47811, which was deemed unimportant.
Threat researchers at managed cybersecurity platform Huntress created a proof-of-concept exploit for CVE-2025-47812 and showed in the video below how hackers could leverage it in attacks.
Huntress researchers found that on July 1st, a day after technical details for CVE-2025-47812 appeared, at least one attacker exploited the vulnerability at one of their customers. The attacker sent malformed login requests with null-byte-injected usernames, targeting 'loginok.html.' These inputs created malicious session .lua files that injected Lua code into the server.
The injected code was designed to hex-decode a payload and execute it via cmd.exe, using certutil to download malware from a remote location and execute it. Huntress says that the same Wing FTP instance was targeted by five distinct IP addresses within a short time frame, potentially indicating mass-scanning and exploitation attempts by several threat actors.
The hacker failed the attack "maybe due to their unfamiliarity with them, or because Microsoft Defender stopped part of their attack," Huntress says. Nevertheless, the researchers observed clear exploitation of the critical Wing FTP Server vulnerability.
Even if Huntress observed failed attacks at their customers, hackers are likely to scan for reachable Wing FTP instances and try to take advantage of vulnerable servers. Companies are strongly advised to upgrade to version 7.4.4 of the product as soon as possible.
If switching to a newer, secure version is not possible, the researchers' recommendation is to disable or restrict HTTP/HTTPS access to the Wing FTP web portal, disable anonymous logins, and monitor the session directory for suspicious additions.
The recent incident highlights the importance of timely patching and proper security configurations. Companies relying on Wing FTP Server must take immediate action to secure their systems and prevent potential attacks.
In conclusion, hackers are exploiting a critical RCE flaw in Wing FTP Server, which can lead to arbitrary code execution and other serious security issues. It is crucial for companies using this software to upgrade to the latest version as soon as possible or implement proper security measures to mitigate the risks associated with this vulnerability.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Exploit-Critical-Wing-FTP-Server-Vulnerability-A-Cautionary-Tale-of-Remote-Code-Execution-ehn.shtml
https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-critical-rce-flaw-in-wing-ftp-server/
Published: Sat Jul 12 10:38:47 2025 by llama3.2 3B Q4_K_M
