CISA Warns of Active Exploitation of Wing FTP Server Flaw (CVE-2025-47812), CVSS 10

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-47812 to its Known Exploited Vulnerabilities (KEV) Catalog following confirmed reports of active exploitation just one day after technical details went public.

This critical remote code execution (RCE) flaw, rated CVSS 10, affects Wing FTP Server, a widely deployed enterprise solution for managing secure file transfers. The flaw combines a null byte injection vulnerability with unsafe Lua code execution, giving unauthenticated attackers the ability to execute arbitrary code with root or SYSTEM privileges.

The vulnerability arises from Wing FTP Server’s improper neutralization of null bytes in user-supplied input and unsafe handling of Lua scripts. According to researcher Julien Ahrens, who published the technical write-up, the root of the issue lies in insecure handling of null-terminated strings in C++ and inadequate input sanitization in Lua

On July 1st, just 24 hours after public disclosure, threat intelligence platform Huntress detected an active exploitation attempt targeting one of their customers.

Huntress researchers discovered that attackers exploited ‘loginok.html’ by sending malformed login requests with null-byte-injected usernames. This led to the creation of malicious session .lua files that injected Lua code directly into the server.

The malicious Lua script used hex-decoded payloads and leveraged certutil.exe to fetch and execute malware from a remote server, effectively breaching the system.

Wing FTP Server’s support for embedded Lua scripting is a powerful feature—but when combined with poor input validation, it becomes a major security liability. Attackers exploited this exact combination to:

Bypass authentication mechanisms

• Drop and execute malware payloads
• Establish persistent access by creating new user accounts
• Gain SYSTEM/root privileges, granting full control of the affected host

Because Wing FTP is commonly used in enterprise and SMB environments, a successful compromise can serve as a beachhead for lateral movement or data exfiltration.

The vendor has released version 7.4.4, which patches the vulnerability. All organizations are strongly urged to update immediately, especially those exposing Wing FTP Server to the internet.

CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies must remediate the vulnerability by August 4, 2025, to avoid potential exploitation.

Related Posts:

• Redline Stealer Malware Evolves with Sneaky New Tricks, Spreads Globally
• CVE-2024-27102 (CVSS 9.9) Vulnerability Threatens Pterodactyl Game Servers
• Global Malware Campaign Exploits Lua in Gaming and Education Sectors
• CVSS 10 RCE in Wing FTP Server (CVE-2025-47812) Allows Full Server Takeover, PoC Releases