The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a new critical vulnerability, CVE-2025-47812, affecting Wing FTP Server, to its Known Exploited Vulnerabilities (KEV) Catalog. This action follows confirmed reports of active exploitation in the wild, underscoring the urgent need for organizations to address this security risk immediately.
Vulnerability Overview
CVE-2025-47812 is a remote code execution vulnerability stemming from improper neutralization of null byte (NUL) characters within Wing FTP Server’s authentication processes. Specifically, the flaw allows attackers to inject arbitrary Lua code into user session files by exploiting inadequate input sanitization in the server’s web interface. When executed, this code runs with elevated privileges—root or SYSTEM—potentially leading to full system compromise.
Notably, the vulnerability can be exploited remotely and does not require authentication, as anonymous FTP accounts are also affected. This significantly broadens the attack surface and increases the risk to exposed systems.
Discovery and Impact
The vulnerability was reported by security researcher Julien Ahrens of RCE Security and affects Wing FTP Server versions prior to 7.4.4. Exploitation in the wild has been observed since early July 2025, shortly after public disclosure of the technical details and proof-of-concept exploits.
Given the severity of this flaw, attackers can gain complete control over vulnerable servers, enabling them to deploy malicious payloads, conduct reconnaissance, and establish persistent access. This poses a critical threat to organizations relying on Wing FTP Server for file transfer and management.
Mitigation and Recommendations
Wing FTP Server version 7.4.4, released on May 14, 2025, includes a patch that addresses this vulnerability. CISA strongly urges all organizations using affected versions to apply this update without delay.
In addition to patching, organizations should:
- Restrict network access to vulnerable servers until patched.
- Monitor server logs for unusual FTP or web interface activity.
- Review and strengthen overall vulnerability management processes to prioritize remediation of threats listed in the KEV Catalog.
