Hackers have started to exploit a critical remote code execution vulnerability in Wing FTP Server just one day after technical details on the flaw became public. The attacker sent malformed login requests with null-byte-injected usernames, targeting ‘loginok.html.’ These inputs created malicious session .lua files that injected Lua code into the server. If switching to a newer, secure version is not possible, the researchers' recommendation is to disable or restrict HTTP/HTTPs access to the Wing FTP web portal, disable anonymous logins, and monitor the session directory for suspicious additions. Huntress says that the same Wing FTP instance was targeted by five distinct IP addresses within a short time frame, potentially indicating mass-scanning and exploitation attempts by several threat actors. Even if Huntress observed failed attacks at their customers, hackers are likely to scan for reachable Wing FTP instances and try to take advantage of vulnerable servers. It is a combination of a null byte and Lua code injection that allows remote a unauthenticated attacker to execute code with the highest privileges on the system (root/SYSTEM). Nevertheless, the researchers observed clear exploitation of the critical Wing FTP Server vulnerability. The exploited Wing FTP Server vulnerability is tracked as CVE-2025-47812 and received the highest severity score. Wing FTP Server is a powerful solution for managing secure file transfers that can execute Lua scripts, which is widely used in enterprise and SMB environments. The researcher demonstrated how a null byte in the username field could bypass authentication checks and enable Lua code injection into session files. On June 30, security researcher Julien Ahrens published a technical write-up for CVE-2025-47812, explaining that the flaw stems from unsafe handling of null-terminated strings in C++ and improper input sanitization in Lua. Huntress researchers found that on July 1st, a day after technical details for CVE-2025-47812 appeared, at least one attacker exploited the vulnerability at one of their customers. The injected code was designed to hex-decode a payload and execute it via cmd.exe, using certutil to download malware from a remote location and execute it. The commands observed in these attempts were for reconnaissance, obtaining persistence in the environment, and data exfiltration using the cURL tool and webhook endpoint. When those files are subsequently executed by the server, it is possible to achieve arbitrary code execution as root/SYSTEM. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sat, 12 Jul 2025 15:30:12 +0000