Huntress security researchers observed exploitation of the CVSS 10.0 remote code execution (RCE) flaw in Wing FTP Server on July 1, just one day after its public disclosure.
Wing FTP Server is a cross-platform file-transfer solution, supporting FTP, FTPS, SFTP, and HTTP/S. It is used by over 10,000 customers worldwide for secure data exchange, including Airbus, Reuters, and the US Air Force, according to its website.
Patched on May 14, the researchers behind the discovery of CVE-2025-47812 did not publish their findings until over a month after fixes came in version 7.4.4.
RCE Security, which found and reported the issue, said in its report on June 30 that once Lua code is injected into a session file, execution as root on affected Wing FTP instances is trivial, hence the maximum possible severity score.
The main issue at play was the way in which the Wing FTP web interface handled null bytes in the username field, allowing attackers to execute a Lua injection attack.
If an attacker appended a username input with a %00 null byte, anything after that would be interpreted as Lua code - which would then be injected into session object files and deserialized by the application.
Huntress said that it was only aware of one successful in-the-wild exploit attempt for this vulnerability, but urged users to patch regardless, if they have not already.
The attackers did not seem too sophisticated, the researchers noted, saying they seemed incapable of causing much damage before their access was neutralized.
According to Huntress’ experts, attacks began within 24 hours of the public disclosure, which included details about how the vulnerability was discovered. Attackers typically use these writeups to craft their own exploit code.
By 0956 UTC the following day, three attackers had already attempted to connect to the one target’s Wing FTP server, and about six and a half hours later, a fourth entered the fray.
The fourth quickly began enumerating files and creating new users to establish persistent remote access, but then failed to execute commands that Huntress said were “poorly constructed.”
That failure and inexperience were a running theme throughout the fourth attacker’s time on the organization’s Wing FTP server, with several other command execution attempts failing due to “rookie errors.”
At one point, Huntress said that after digging through the victim’s logs, it was able to deduce that the fourth intruder had to look up how to use curl mid-attack.
The researchers also said that it seemed like at one point the attacker may have phoned a friend for help, as a fifth connected to the server after a period of quiet.
Attacker number four then began trying to cause some trouble using PowerShell, but when that crashed on them, they tried to download a trojan, but then Microsoft Defender scooped that up before it could execute.
The server crashed after that, booting the attackers out, and the victim organization isolated it shortly after, marking an end to a frustrating day out for the threat actors.
“Despite the threat actors’ unavailing activity, this incident shows that CVE-2025-47812 is being actively targeted at this point,” Huntress said.
“While we’ve only seen exploitation activity on one customer as of July 8, 2025, organizations can best protect themselves by updating to version 7.4.4.”
This incident also underscores how legacy protocols can harbor hidden risks. Given FTP has been around since the early seventies, security was not at the forefront of mind when developing the protocol itself.
The technology has since been overtaken by secure FTP (SFTP) and managed file transfer (MFT) solutions, which offer greater versatility and security. Wing FTP Server also supports those secure file transfer protocols, so there are more tightly secured options for its customers when connecting to the server. According to its user manual [PDF], these more secure options are only available on the secure and corporate editions, and not the free or standard editions.
Many projects, like Chrome, Firefox, Debian, and more, either disabled FTP by default or completely removed support for it many years ago, reflecting the changing attitudes toward the protocol. ®
