Hackers have been exploiting a critical-severity vulnerability in the Wing FTP Server file transfer solution to execute arbitrary code remotely, after technical information on the flaw was published on June 30, security researchers warn.
Tracked as CVE-2025-47812, the critical issue is described as the mishandling of null bytes, which allows attackers to inject arbitrary Lua code in user session files, leading to the execution of arbitrary commands with root or system privileges.
Successful exploitation of the bug could potentially lead to full server compromise through the remote execution of arbitrary code. While authentication is required, threat actors can also exploit the defect using an anonymous FTP account, which does not require a password but is disabled by default.
“When exploiting the vulnerability, a special set of characters is inserted into the username, bypassing string processing during login. This flaw allows threat actors to inject arbitrary Lua code into the application, which is executed upon visiting specific pages,” Arctic Wolf explains.
CVE-2025-47812 affects Wing FTP Server iterations up to version 7.4.3, and was resolved in version 7.4.4 of the file transfer tool, which was released on May 14.
On June 30, however, Julien Ahrens of RCE Security published technical information and a PoC exploit for the vulnerability, and hackers started targeting it in the wild the next day, Huntress reports.
“[Wing FTP] sessions typically store the user’s current directory, IP address, and username. By taking advantage of the null-byte injection, the adversary disrupts the anticipated input in the Lua file which stores these session characteristics,” the security firm notes.
Huntress, which also created a PoC exploit targeting the flaw, says indicators of compromise (IoCs) can be found in the Wing FTP installation folder, in logs within the ‘Domain’ directory.
The security firm says it has observed threat activity against a single customer as of July 8, with the attackers attempting to fetch and run arbitrary files, fingerprint the system, and deploy tools for remote access.
According to Censys, however, there are roughly 8,103 internet-accessible Wing FTP Servers, with 5,004 of them exposing their web interfaces. They are potentially at risk of exploitation, since the PoC exploit for CVE-2025-47812 uses a POST request.
Related: Grafana Patches Chromium Bugs, Including Zero-Day Exploited in the Wild
Related: CISA Warns of Two Exploited TeleMessage Vulnerabilities
Related: Thousands of Citrix NetScaler Instances Unpatched Against Exploited Vulnerabilities
Related: Critical Citrix NetScaler Flaw Exploited as Zero-Day
