Critical Wing FTP Server Flaw (CVSS 10.0) Under Active Exploitation: Patch Now!
Researchers at Huntress have observed active exploitation of a critical vulnerability in Wing FTP Server—a mere day after its public disclosure. The flaw, tracked as CVE-2025-47812, received the highest possible severity rating (CVSS 10.0), as it enables remote execution of arbitrary code on vulnerable servers. The vulnerability was initially discovered and reported by experts at RCE Security, though the technical details were only published on June 30—more than a month after the patch was released.
Wing FTP Server is a widely used cross-platform file transfer solution that supports FTP, FTPS, SFTP, and HTTP/S protocols. According to its developers, the software is used by more than 10,000 clients globally, including Airbus, Reuters, and the United States Air Force. The vulnerability lies in the handling of usernames within Wing FTP’s web interface. When a username containing a null byte (%00) is submitted, everything following the byte is interpreted as Lua code. This code is written into a session file and later executed during deserialization, granting an attacker full control over the server.
According to Huntress, the first attacks were observed on July 1st—less than 24 hours after the disclosure. The attackers clearly leveraged the newly released technical details. Initially, three connections were made to the victim server, followed by a fourth actor who began scanning the file system, creating new users, and attempting to establish persistence. However, the attacker’s actions betrayed a lack of sophistication: their commands contained syntax errors, PowerShell crashed repeatedly, and an attempt to upload a trojan failed when the file was intercepted by Microsoft Defender. Log analysis revealed that, at one point, the attacker resorted to Googling how to use the curl utility, and shortly thereafter, a fifth participant joined the server—likely summoned for assistance.
After several failed attempts, the attacker tried to upload a malicious file again, but the server soon crashed and was subsequently isolated by the organization, halting any further intrusion. Despite the clumsiness of this particular campaign, Huntress warns that CVE-2025-47812 is being actively exploited and poses a genuine threat. Researchers strongly urge all Wing FTP users to update immediately to version 7.4.4, which includes the necessary fix.
This incident also underscores the inherent risks of legacy protocols. FTP, conceived in the 1970s, was never designed with modern security standards in mind. While Wing FTP does support more secure alternatives such as SFTP and MFT, these options are restricted to commercial editions. Many contemporary projects—such as Chrome, Firefox, and Debian—have long since deprecated FTP support, reflecting the broader industry shift away from outdated and vulnerable protocols.
