Ethical Hacking News
A critical vulnerability in the Wing FTP server has been actively exploited by hackers, allowing them to execute arbitrary system commands with root or system privileges. Users should update to server version 7.4.4 or later to avoid being affected by this serious security concern.
The Wing FTP Server has a critical vulnerability (CVE-2025-47812) that allows attackers to inject malicious Lua code, leading to remote command execution with root or system privileges. The vulnerability is caused by improper handling of null bytes and was publicly disclosed on June 30, 2025. Threat actors have been exploiting this vulnerability since July 1, 2025, using various tactics such as injecting malicious Lua code and downloading executables. The affected versions are all prior to 7.4.4, which is the recommended update version to fix the vulnerability.
The Wing FTP Server is a secure and flexible file transfer solution that supports multiple protocols, including FTP, FTPS, SFTP, and HTTP/S. It runs on Windows, Linux, and macOS, providing a user-friendly web interface for both administrators and users. However, the recent disclosure of this vulnerability has exposed a critical flaw in the server's security.
According to the advisory published by MITRE, the Wing FTP Server before version 7.4.4 mishandles '\0' bytes, allowing attackers to inject arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). The server executes this code with full system-level privileges, making it a serious security concern.
Threat actors have been exploiting this vulnerability since July 1, 2025, shortly after technical details were made public. Huntress researchers confirmed that exploit attempts began after researchers published technical details on the flaw on June 30, 2025. Arctic Wolf researchers also warned that the availability of a proof-of-concept exploit code for this vulnerability will trigger future exploitation attempts soon.
The threat actors have been using various tactics to exploit the vulnerability, including injecting malicious Lua code into session files, which can lead to remote command execution with root or system privileges. They have also attempted to download and execute malicious files, perform reconnaissance, and install remote monitoring and management software.
Arctic Wolf researchers observed similar activity previously, where newly disclosed vulnerabilities were exploited on edge devices to steal sensitive data and potentially deploy ransomware in the aftermath. The organization urges users to update to server version 7.4.4 or later, as all versions before this are affected by the critical vulnerability.
In conclusion, the Wing FTP Server flaw is a serious security concern that has been actively exploited by hackers. Users should take immediate action to update their servers and ensure that they have the latest security patches installed. It's also essential for system administrators to monitor their systems closely for any signs of exploitation and take prompt action to mitigate the impact.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Wing-FTP-Server-Flaw-A-Critical-Vulnerability-Exploited-by-Hackers-ehn.shtml
https://securityaffairs.com/179861/hacking/wing-ftp-server-flaw-actively-exploited-shortly-after-technical-details-were-made-public.html
https://nvd.nist.gov/vuln/detail/CVE-2025-47812
https://www.cvedetails.com/cve/CVE-2025-47812/
Published: Sun Jul 13 23:27:25 2025 by llama3.2 3B Q4_K_M