Security researchers have confirmed active exploitation of a critical vulnerability in Wing FTP Server, just one day after technical details were publicly disclosed. Organizations operating Wing FTP Server installations should prioritize upgrading to version 7.4.4 or later, conduct thorough security assessments of their file transfer infrastructure, and implement additional monitoring to detect potential compromise indicators. Security researchers at Huntress created a proof-of-concept exploit demonstrating how the vulnerability can be leveraged to achieve arbitrary code execution as root on Linux systems or SYSTEM on Windows. Wing FTP Server version 7.4.4, released on May 14, 2025, addresses CVE-2025-47812 along with two other security vulnerabilities (CVE-2025-47813 and a path disclosure issue). The vulnerability was first disclosed by security researcher Julien Ahrens on June 30, 2025, following a responsible disclosure to Wing FTP that resulted in version 7.4.4 being released on May 14, 2025. Huntress researchers documented active exploitation beginning July 1, 2025, with threat actors targeting a customer’s Wing FTP Server installation. The vulnerability combines a null byte injection flaw with Lua code injection, allowing attackers to bypass authentication checks and inject arbitrary commands into server session files. Organizations using Wing FTP Server for file transfer operations include major corporations such as Airbus, Reuters, and the U.S. Air Force, indicating the potential for significant impact across critical infrastructure sectors. The combination of maximum severity rating, active exploitation, and widespread internet exposure makes this vulnerability a significant threat to organizational security posture. The Shadowserver Foundation has identified around 2,000 IPs running exposed Wing FTP Server instances, though specific vulnerability checks have not been conducted on all identified systems. The vulnerability affects all major operating systems supported by Wing FTP Server, including Windows, Linux, and macOS. However, exploitation attempts began immediately after the technical write-up became public, with Huntress security researchers observing the first attacks on July 1, 2025. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. When the server processes these corrupted session files, the injected Lua code executes with elevated privileges, granting attackers complete control over the system. According to data from Censys, approximately 8,103 publicly accessible devices are running Wing FTP Server worldwide, with 5,004 of these systems exposing their web interfaces to the internet. Given the software’s widespread deployment in enterprise environments for secure file transfer operations, the security community has issued urgent recommendations for immediate patching. CVE-2025-47812 stems from improper handling of null bytes in Wing FTP Server’s web interface, specifically in the loginok.html endpoint that processes authentication requests.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 14 Jul 2025 17:15:16 +0000