Wing FTP Server Remote Code Execution vulnerability (CVE-2025-47812) Exploited in the Wild
July 17th, 2025
Critical
Our Cyber Threat Intelligence Unit is monitoring CVE-2025-47812, a critical and actively exploited vulnerability in the Wing FTP Server. This vulnerability allows unauthenticated remote code execution (RCE) with full system-level privileges (root on Linux/macOS or SYSTEM on Windows). This stems from improper input validation and null byte handling in Wing FTP Server's web interface, allowing remote attackers to compromise affected servers with a single HTTP POST request.
This rapid shift from disclosure to exploitation highlights the urgent need for organizations to respond quickly to this threat. More than 8,000 publicly exposed devices running Wing FTP Server have been identified. Major organizations, including government agencies, critical infrastructure providers, and large enterprises, use the software for secure file transfers. This vulnerability poses a significant global security risk. Active exploitation has already been observed in the wild, including attempts to establish persistence, deploy malware, and conduct system reconnaissance.
Technical Details
CVE-ID: CVE-2025-47812.
Severity: Critical (CVSS 10.0)
Component Affected: Wing FTP Web Interface.
Vulnerability Type: Unauthenticated Remote Code Execution (RCE), Null Byte Injection combined with Lua Code Injection.
CVE-2025-47812 stems from improper handling of null bytes within the loginok.html endpoint of Wing FTP Server’s web interface. The vulnerability is exploited through a specially crafted HTTP POST request, where the username parameter includes a null byte (%00) followed by Lua code injection.
The exploitation process involves:
Bypassing authentication mechanisms by injecting Lua code into server session files.
Triggering the execution of the malicious Lua code during the server’s session processing routine.
Gaining complete administrative control (root on Linux/macOS or SYSTEM on Windows). This vulnerability was disclosed on June 30th, 2025, and exploitation attempts were detected as early as July 1st, 2025.
Impact
Exploitation of CVE-2025-47812 leads to severe consequences, including:
Complete remote control of the targeted Wing FTP Server host with root or SYSTEM privileges.
Ability to deploy remote access tools, backdoors, and malware.
Theft of sensitive data during transmission or while stored on the server.
Disruption of business-critical file transfer operations.
Potential lateral movement into internal networks.
Increased risk for organizations in sensitive sectors like defense, aerospace, media, and public services.
Detection Method
Detection strategies for identifying potential exploitation include:
Reviewing HTTP server logs for POST requests directed to /loginok.html containing anomalous username parameters or null byte (%00) payloads.
Monitoring the server’s session directories for unknown or suspicious .lua files.
Detecting unusual system commands being executed, especially enumeration commands such as ipconfig, whoami, net user, arp -a, and network data retrieval utilities like curl or certutil.
Analysing endpoint security and EDR alerts for unauthorized administrative activity or suspicious process execution.
Tracking connections to known malicious IP addresses or unusual outbound traffic from the server.
Indicators of Compromise
Type | Indicator |
Domain | webhook[.]site |
IP Address | 223[.]160[.]131[.]104 |
IP Address | 149[.]248[.]44[.]88 |
IP Address | 103[.]88[.]141[.]42 |
IP Address | 185[.]196[.]9[.]225 |
IP Address | 146[.]70[.]11[.]39 |
Hash | c637ec00bd22da4539ec6def89cd9f7196a303d17632b1131a89d65e4f5698f4 |
Hash | f0fcc638cd93bdd6fb4745d75b491395a7a1b2cb08e0153a2eb417cb2f58d8ac |
URL | https[:]//webhook[.]site/5d112487-6133-4942-ac87-3f473d44bd81 |
URL | https[:]//oooooooo11.screenconnect[.]com/bin/screenconnect.clientsetup.msi |
URL | http[:]//185.196.9[.]225:8080/EOp45eWLSp5G5Uwp_yOCiQ%TEMP%\\mvveiWJHx.exe |
Recommendations
To mitigate the risks associated with CVE-2025-47812, organizations should take the following steps:
Upgrade to Wing FTP Server version 7.4.4 or later immediately.
Disable anonymous FTP login if currently enabled.
Restrict or disable HTTP/HTTPS access to the Wing FTP web interface where possible.
Implement network segmentation to isolate Wing FTP Servers from critical infrastructure.
Monitor for suspicious session file creation or Lua code injection attempts.
Apply Web Application Firewall (WAF) rules to block malformed POST requests to loginok.html.
Conduct internal threat hunting focused on unusual administrative activities and lateral movement patterns.
Review and tighten access control policies on file transfer systems.
Schedule regular security assessments and penetration testing on external-facing services.
Conclusion
CVE-2025-47812 is a critical, actively exploited vulnerability with a confirmed ability to completely compromise systems through unauthenticated remote code execution. Its accessibility, widespread reach, and verified exploitation make it a top-priority threat for any organization using Wing FTP Server. The vulnerability affects all supported operating systems and poses a serious risk to the confidentiality, integrity, and availability of sensitive file transfer operations.