According to Huntress, the most recent disclosed security flaw affecting Wing FTP servers is subject to aggressive exploitation in the wild.
The vulnerability tracked as CVE-2025-47812 (CVSS score: 10.0) is a case of improper handling of null (‘\0’) bytes in the server’s web interface, allowing remote code execution. Addressed in version 7.4.4.
According to the cve.org flaw advisory, “The user and administrator web interface can explor “\0″ bytes and ultimately inject any LUA code into the user session file.” “This can be used to run any system command using privileges on the FTP service (root or system by default).”
What’s even more concerning is that flaws can be exploited through anonymous FTP accounts. A comprehensive breakdown of vulnerabilities was in the public domain until the end of June 2025, courtesy of RCE security researcher Julien Arlens.
Cybersecurity company Huntress said threat actors have been observed to download and run malicious LUA files, carry out reconnaissance and exploit the flaws to install remote monitoring and management software.
“CVE-2025-47812 is due to how nullbytes are handled in username parameters (particularly related to the loginok.html file that handles the authentication process),” Huntress researchers said. “This allows remote attackers to perform LUA injection after using null bytes in the username parameter.”
“By utilizing nullbyte injection, the enemy confuses the expected input of the LUA file that stores these session characteristics.”
Evidence of aggressive exploitation was first observed on July 1, 2025 against a single customer. Upon gaining access, the threat actor ran enumeration and reconnaissance commands, created a new user as a form of persistence, dropped the LUA file and dropped the installer for ScreenConnect.
There is no evidence that the remote desktop software was actually installed, as the attack was detected and stopped before the attack progressed further. It is not clear who is behind the activity right now.
According to Censys data, there are 8,103 publicly accessible devices running a Wing FTP server, of which 5,004 expose the web interface. Most of the instances are in the US, China, Germany, the UK and India.
In light of active exploitation, it is essential that users apply the latest patches and move quickly to update Wing FTP server versions from 7.4.4 or later.
Source link
