A recently revealed critical vulnerability in Wing FTP Server is now being actively exploited, according to cybersecurity firm Huntress.
The flaw, identified as CVE-2025-47812 and assigned a perfect CVSS score of 10.0, is caused by improper handling of null (\0) bytes in the server’s web interface. This vulnerability enables remote code execution and has been fixed in version 7.4.4.
According to the advisory on CVE.org, both the user and admin web interfaces fail to handle null bytes correctly. This weakness allows attackers to inject arbitrary Lua code into session files. When successful, the attacker can execute system-level commands using the privileges of the FTP service, which typically runs as root or SYSTEM.
One alarming aspect of this vulnerability is that it can be exploited even through anonymous FTP accounts. A detailed technical breakdown was made public in late June 2025 by security researcher Julien Ahrens from RCE Security.
Active Exploitation in the Wild
Huntress has confirmed that attackers are already exploiting this flaw. In observed cases, attackers have downloaded and executed malicious Lua scripts, conducted system reconnaissance, and attempted to install remote monitoring and management tools.
Researchers explained that the vulnerability originates from how the username parameter is processed during login, particularly in the loginok.html file. By inserting a null byte in this parameter, attackers can disrupt normal session handling and trigger Lua code injection.
On July 1, 2025, Huntress detected the first known exploitation attempt against a customer, just one day after public disclosure of the exploit. During the attack, threat actors issued reconnaissance commands, created unauthorized users to maintain access, and deployed Lua scripts designed to launch an installer for ScreenConnect. Fortunately, the intrusion was detected in time and halted before the remote desktop tool could be installed.
As of now, it remains unclear who is responsible for the attack.
Thousands of Servers Still at Risk
Data from Censys indicates that over 8,100 Wing FTP Server instances are publicly accessible. Among these, around 5,000 have their web interface exposed. The highest concentrations of these servers are found in the United States, China, Germany, the United Kingdom, and India.
Given the severity of the vulnerability and evidence of active exploitation, organizations using Wing FTP Server are strongly advised to update to version 7.4.4 or later without delay. Applying the patch is critical to prevent unauthorized access, system compromise, and potential data breaches.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
