Pierluigi Paganini
July 13, 2025
Threat actors are exploiting a critical flaw, tracked as CVE-2025-47812 (CVSS score of 10), in Wing FTP Server that allows remote code execution with root/system privileges.
Wing FTP Server is a secure and flexible file transfer solution that supports multiple protocols, including FTP, FTPS, SFTP, and HTTP/S. It runs on Windows, Linux, and macOS, and provides a user-friendly web interface for both administrators and users.
The vulnerability CVE-2025-47812 is caused by improper handling of null bytes. An attacker can inject malicious Lua code into session files, leading to remote command execution with root or system privileges.
“In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle ‘\0’ bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default).” reads the advisory published by MITRE. “This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.”
This happens because the SessionModule.lua script loads and runs session files without proper validation. If an attacker can manipulate a session file, whose name is tied to a cookie (UID), they can trigger code execution by performing any authenticated action on the server, such as listing directory contents via the web interface.
Critically, the server executes this code with full system-level privileges: on Linux as root, and on Windows as NT AUTHORITY/SYSTEM. This is because the Wing FTP Server runs by default with elevated privileges and lacks protections like privilege dropping, sandboxing, or jailing.
Although authentication is required to reach this point, even an anonymous FTP account (if enabled) can be used to exploit the flaw. This vulnerability essentially enables an attacker to escalate from basic user access, anonymous or authenticated, to full remote code execution with administrative rights on both Linux and Windows systems.
Exploit attempts began after researchers published technical details on the vulnerabilities on June 30.
On July 10, 2025, Huntress researchers published a technical analysis of th flaw, confirming that it had been actively exploited by threat actors as early as July 1, 2025. Details of the vulnerability had originally been published on June 30, 2025. Arctic Wolf researchers warn that the availability of a proof-of-concept exploit code for this vulnerability will trigger future exploitation attempts shortly.
“Threat actors exploiting this vulnerability must authenticate using either known credentials or the anonymous account, which requires no password but is disabled by default. When exploiting the vulnerability, a special set of characters is inserted into the username, bypassing string processing during login. This flaw allows threat actors to inject arbitrary Lua code into the application, which is executed upon visiting specific pages.” reads the analysis published by Artic Wolf. “In observed cases of exploitation, threat actors attempted to download and execute malicious files, perform reconnaissance, and install remote monitoring and management software. Arctic Wolf has observed similar activity previously where newly disclosed vulnerabilities were exploited on edge devices to steal sensitive data and potentially deploy ransomware in the aftermath. “
Arctic Wolf urges users to update to server version 7.4.4 or later, as all versions before 7.4.4 are affected by the critical vulnerability.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CVE-2025-47812)
