Critical Wing FTP Server Exploit: Hackers Launch Attacks Within Hours of Public Disclosure

Listen to this Post

Featured Image

A Growing Risk in Enterprise File Transfers

Just 24 hours after the technical breakdown of a critical vulnerability in Wing FTP Server was published, hackers wasted no time in launching real-world attacks. CVE-2025-47812, a severe remote code execution (RCE) flaw, allows unauthenticated attackers to run arbitrary commands with root or SYSTEM privileges — the highest level of access possible on a system. The vulnerability combines a null byte injection with Lua code manipulation, putting countless enterprise and small-business deployments of Wing FTP at immediate risk. Despite a patch being released weeks prior, the surge in attacks highlights a dangerous lag in adoption and the persistent threat posed by publicly exposed software weaknesses.

Summary of the Exploit and Associated Flaws

The spotlight vulnerability, CVE-2025-47812, exploits improper handling of null-terminated strings in C++ combined with unsanitized Lua inputs, letting attackers bypass authentication mechanisms and inject malicious Lua code. This code is then executed by Wing FTP Server with elevated privileges. The attacker needs no credentials — the flaw can be exploited remotely without authentication.

Security researcher Julien Ahrens revealed this vulnerability in detail on June 30, 2025, and it took less than a day for hackers to begin targeting systems. By crafting malicious login attempts using null-byte-injected usernames, threat actors generated Lua session files containing encoded payloads. These payloads were designed to download and execute malware using built-in Windows tools like certutil and cmd.exe.

In addition to CVE-2025-47812, Ahrens disclosed three other vulnerabilities:

CVE-2025-27889: Leaks user passwords through crafted URLs due to insecure JavaScript handling.
CVE-2025-47811: Highlights that Wing FTP runs as root/SYSTEM without sandboxing, amplifying any RCE risks.

CVE-2025-47813: Exposes filesystem paths via an oversized UID cookie.

All these issues affect versions 7.4.3 and earlier. Wing FTP addressed most of them in version 7.4.4, released on May 14, 2025 — but chose not to fix CVE-2025-47811, considering it insignificant.

Huntress Labs, a cybersecurity firm, verified exploitation in the wild on July 1. One of their clients experienced an intrusion attempt that mirrored Ahrens’ proof-of-concept, with injected Lua files and malformed login attempts. Interestingly, while this particular attempt may have failed (possibly due to Microsoft Defender), the system was hit by five distinct IPs in quick succession, suggesting that mass scans are already underway.

Attackers ran reconnaissance commands, tried to create persistent users, and used curl with webhooks for data exfiltration. The failure of the attack doesn’t reduce its threat level — it only shows that defenders still have a small window to act. Companies are urged to update to version 7.4.4 immediately. Those unable to do so should isolate Wing FTP’s HTTP/S access, disable anonymous logins, and keep a close eye on session directories for unexpected Lua scripts.

What Undercode Say:

Escalating Risks from Immediate Exploitation

The most concerning aspect of CVE-2025-47812 is how quickly it was weaponized. The vulnerability was publicly explained on June 30, and attacks were logged on July 1. This rapid turnaround underlines a broader industry challenge — the window between vulnerability disclosure and active exploitation is shrinking, leaving businesses with little margin for delay in patching.

Null Byte and Lua Injection: A Potent Combo

Wing

RCE at Root Level: No Sandboxing, No Mercy

CVE-2025-47811 may have been considered “unimportant” by the vendor, but that judgment appears dangerously optimistic. Running as root/SYSTEM by default, Wing FTP gives attackers complete control when an RCE flaw is exploited. Without sandboxing or privilege separation, there’s no barrier to lateral movement, data theft, or infrastructure compromise.

Failure Doesn’t Mean Safety

Although Huntress reported a failed attack, this

The Bigger Picture: Vulnerability Management

The Wing FTP case exposes a recurring security blind spot — slow update cycles and weak monitoring. Many businesses rely on FTP servers but don’t track vendor patches or CVE releases as rigorously as they do for OS-level threats. This makes systems like Wing FTP an ideal target for attackers seeking quick wins with minimal effort.

Lua Scripts and Insider Risks

Since Lua scripts can interact with server files and execute system commands, any attacker who gains write access to session files essentially has a foothold to maintain persistence and evade detection. Malicious Lua scripts could mimic legitimate automation tasks while siphoning data or opening backdoors.

Time for Zero Trust

Organizations using software like Wing FTP need to apply Zero Trust principles. Isolating critical services, enforcing user segmentation, disabling unused features like anonymous access, and tightly logging all actions are no longer optional. With public PoCs floating online, attackers don’t need elite skills — just scanning tools and a target.

Cloud and Hybrid Vulnerability Crossroads

Wing FTP is used in hybrid environments — local servers managing cloud transfers. This hybrid use magnifies risk, as an infected on-prem FTP can lead to exposure of cloud credentials, API tokens, or linked data stores. Defenders must treat such tools with the same rigor as core infrastructure components.

🔍 Fact Checker Results:

✅ CVE-2025-47812 is confirmed as a critical RCE vulnerability and publicly documented by multiple security researchers.
✅ Huntress has verified real-world exploitation of the flaw in live environments.
✅ Wing FTP version 7.4.4 includes patches for most issues except CVE-2025-47811.

📊 Prediction:

🚨 With the public proof-of-concept readily available and multiple IP addresses already scanning for vulnerable servers, mass exploitation campaigns are expected to rise sharply.
🔐 Organizations that fail to update to version 7.4.4 within the next few weeks may experience targeted attacks, especially those in industries handling sensitive data transfers.
🛡️ Expect security vendors to roll out new detection signatures, but proactive patching and service hardening will remain the most effective defense.

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.quora.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin