Security researchers and threat intelligence teams are sounding the alarm over a critical vulnerability in Wing FTP Server, tracked as CVE-2025-47812, which is currently being exploited in the wild. The flaw, which affects all versions up to and including 7.4.3, enables remote attackers to execute arbitrary code on vulnerable servers, potentially leading to full system compromise.
Vulnerability Details
CVE-2025-47812 is a remote code execution (RCE) vulnerability stemming from improper handling of NULL bytes within the username parameter during authentication requests. By crafting a malicious HTTP POST request to the /loginok.html endpoint, attackers can inject arbitrary Lua code into user session files. When these files are processed, the injected code is executed with the same privileges as the Wing FTP Server process—often root on Linux or SYSTEM on Windows.
Although authentication is typically required to exploit this flaw, the presence of an enabled anonymous FTP account (disabled by default) significantly lowers the bar for attackers. Security experts have demonstrated that a specially crafted username containing a NULL byte and appended Lua code can bypass authentication checks and achieve code execution.
Exploitation Timeline
- June 30, 2025: Technical details and proof-of-concept (PoC) exploit code were published online.
- July 1, 2025: Reports of active exploitation began to surface, with attackers leveraging public PoC code to compromise unpatched servers.
- July 10, 2025: Multiple security advisories confirmed widespread exploitation targeting vulnerable installations.
Potential Impact
Successful exploitation of CVE-2025-47812 grants attackers complete administrative control over the affected server. This access can be used to steal sensitive data, deploy malware or ransomware, or pivot deeper into organizational networks. The risk is especially acute for organizations running internet-facing FTP servers or those with default or misconfigured anonymous access.
Mitigation and Recommendations
The vendor has released Wing FTP Server version 7.4.4, which addresses this critical vulnerability. All users are strongly urged to upgrade to the latest version without delay.
Recommended Actions:
- Upgrade immediately to Wing FTP Server 7.4.4 or later.
- Disable anonymous FTP access unless absolutely necessary.
- Review server logs for signs of suspicious activity or compromise.
- Restrict network access to the FTP server using firewalls and access control lists.
- Implement regular vulnerability assessments and maintain a robust patch management process.
