A critical security vulnerability within the Wing FTP Server, identified as CVE-2025-47812 with a CVSS score of 10.0, is actively being exploited in the wild. This maximum-severity flaw allows for remote code execution due to improper handling of null bytes in the server’s web interface. Wing FTP Server has released version 7.4.4 to address this critical vulnerability.
The vulnerability, first detailed publicly by RCESecurity researcher Julien Ahrens in late June 2025, presents a significant risk as it can be exploited even by unauthenticated, anonymous FTP accounts. Cybersecurity firm Huntress has confirmed observing threat actors leveraging this flaw for malicious purposes, including data exfiltration and the deployment of sophisticated malware.
Wing FTP Server Vulnerability Under Active Exploitation
The core of the issue lies in how the Wing FTP Server’s user and administrative web interfaces process null bytes, specifically within the authentication process handled by the loginok.html file. According to advisories, this allows for the injection of arbitrary Lua code into user session files. Consequently, attackers can execute system commands with the privileges of the FTP service, which by default, often means root or SYSTEM privileges.
Huntress researchers explained that by exploiting the null-byte injection, adversaries can disrupt the expected input within the Lua files that store session characteristics. This disruption is the key to gaining unauthorized access and executing commands.
Exploitation Observed in the Wild
Evidence of active exploitation was first detected on July 1, 2025, just a day after the technical details of the exploit became widely available. In one observed incident, threat actors gained access and proceeded to run enumeration and reconnaissance commands. They also established persistence by creating new user accounts and deployed Lua files to install remote monitoring and management software. While the attack was detected and halted before the remote desktop software could be fully installed, it highlights the immediate danger posed by the vulnerability.
The perpetrators behind these observed attacks remain unidentified at this time. However, the swiftness of the exploitation indicates that automated scanning and exploitation tools are likely in play.
Scope of Impact and Mitigation
Data from network scanning service Censys indicates a substantial number of Wing FTP Server instances are accessible on the public internet. Out of 8,103 identified devices running the server software, 5,004 have their web interfaces exposed, making them potential targets. The United States, China, Germany, the United Kingdom, and India host the majority of these publicly accessible installations.
Given the active exploitation and the critical nature of the Wing FTP Server vulnerability, immediate action is strongly advised for all users. Applying the latest patches and updating to Wing FTP Server version 7.4.4 or later is crucial for mitigating this threat.
In response to the escalating threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-47812 to its Known Exploited Vulnerabilities (KEV) Catalog on July 14, 2025. This directive mandates that Federal Civilian Executive Branch (FCEB) agencies must implement the necessary fixes by August 4, 2025, underscoring the urgency for organizations to secure their systems.