- Hackers launched attacks only one day after the full technical revaluation of the error was published
- Many servers remained vulnerable for weeks despite the fact that a solution was released long before the reveal
- Null Byte Injection in the Username field Let’s bypass Login and Run Lua Code
Security researchers have confirmed that attackers actively exploit a critical vulnerability in the Wing FTP server, a widely used solution for controlling file transfers.
Researchers at Huntress say the mistake identified as CVE-2025-47812 was revealed publicly on June 30, and exploitation began almost immediately, just one day later.
This vulnerability allows unauthorized remote code execution (RCE) that enables attackers to run code as clutter or system on vulnerable servers.
Wing FTP -Server remains vulnerable in Uphatched Systems
The Wing FTP server is implemented across corporate and SMB environments, and it is used by more than 10,000 organizations globally, including high-profile clients such as Airbus, Pakinomist and US Air Force.
Vulnerability is found in versions 7.4.3 and earlier and has been patched in version 7.4.4, which was released on May 14, 2025.
Despite the fact that the correction was available for over a month, many users remained unmatched when technical details were published.
Security researcher Julien Ahrens explained that the problem stems from incorrect entry envy and uncertain handling of zero-term strings.
The weakness enables a zero town in the username, to bypass approval and insert malicious LUA code into session files.
These files trigger when deserialized by the server, performing code execution at the highest system level.
An attacker created malicious session files that used Certutil and CMD.exe to pick up and perform external payload.
Although the attack ultimately failed, thanks to partly thanks to Microsoft Defender, researchers noticed that they are trying to escalate privileges, perform reconnaissance and create new users to maintain persistence.
Another striker allegedly had to look up how to use Curl Mid-Attack, and an other party even involved during the operation.
This shows the persistence of attackers who are likely to scan after exposed Wing FTP deposits, including those running outdated versions.
Even if attackers lacked refinement, vulnerability remains very dangerous.
Researchers recommend upgrading to version 7.4.4 immediately, but where updates are not possible, disabling Disabling HTTP/S access, removal of anonymous login settings and session of session file catalogs are important mitigation steps.
Three additional vulnerabilities were reported: one that enables password ex -filtration through JavaScript, another postponement of system paths via a long -lasting cookie and a third highlights the server’s lack of sandbox.
While these pose severe risks, CVE-2025-47812 has received the highest difficulty due to its potential for complete system comprom.
Via Register and Bleeping Computer
