Critical Wing FTP Server vulnerability exploited in the wild (CVE-2025-47812)

Threat actors are actively exploiting a recently fixed remote code execution vulnerability (CVE-2025-47812) in Wing FTP Server, security researchers have warned.

Wing FTP Server and CVE-2025-47812

Wing FTP Server is a commercial file transfer server solution used by businesses, MSPs and hosting providers.

The software can be installed on 64-bit operating systems: Windows, Windows Server, Linux, and macOS. Administration is done via a web-based interface. Users likewise upload/download files securely via browser.

CVE-2025-47812 is caused by Wing FTP Server’s user and admin web interfaces mishandle “\0” (i.e., “null”) bytes, which allows attackers to inject arbitrary Lua code into user session files.

“[The vulnerability] can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts,” the flaw’s CVE record explains.

CVE-2025-47812 was discovered and privately reported by RCE Security researcher Julien Ahrens, and was fixed in Wing FTP Server v7.4.4, released on May 14, 2025.

On June 30, the researcher published a detailed write-up about the flaw, as well outlined two other vulnerabilities (CVE-2025-47811, CVE-2025-47813) he discovered at the same time. He also published advisories, complete with PoC exploits.

CVE-2025-47812 exploited

According to Huntress researchers, it didn’t take long for attackers to try to leverage CVE-2025-47812: they first observed exploitation on a customer on July 1, 2025.

Their analysis of the attack revealed the involvement of several different attackers, who connected to the victim’s machine from different IP addresses, performed reconnaissance, created new users for persistence, and tried to download and run malicious batch files and the ScreenConnect remote monitoring and management software.

The attackers were apparently not very skilled and were continuously frustrated by Microsoft Defender installed on the targeted computer. The attack was spotted relatively quickly and the machine isolated.

“Despite the threat actors’ unavailing activity, this incident shows that CVE-2025-47812 is being actively targeted at this point. While we’ve only seen exploitation activity on one customer as of July 8, 2025, organizations can best protect themselves by updating to version 7.4.4,” Huntress researchers noted, and shared indicators of compromise and suspicious log entries threat hunters can use.

Other Wing FTP Server vulnerabilities

To exploit CVE-2025-47812, a threat actor must first authenticate with compromised credentials or, alternatively – if the Wing FTP’s web interface allows it – with an anonymous account.

Ahrens pointed out, though, that they could also use CVE-2025-27889, an information disclosure vulnerability that requires user interaction for exploitation, but can reveal the user’s cleartext password. (Also discovered and reported by him, CVE-2025-27889 was fixed in Wing FTP Server version 7.4.3, released on March 26, 2025.)

The most recent Wing FTP Server version (7.4.4) includes fixes for CVE-2025-47812 and CVE-2025-47813, but not CVE-2025-47811, which could allow attackers to execute code with the highest possible privileges. According to Ahrens, “the vendor thinks [CVE-2025-47811] is fine to keep despite being the reason why we got full root access.”

According to internet infrastructure intelligence platform Censys, there were around 8,100 devices running Wing FTP Server on July 9, and some 5,000 had their web interfaces exposed on the internet.

“Servers with this interface exposed are potentially vulnerable, as the exploit is performed using a malicious POST request, as demonstrated in the PoC exploit,” they noted.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!