Hackers Exploit Major Wing FTP Server Flaw Just One Day After It's Made Public

NeedEvery July 13, 2025

Cybercriminals wasted no time. Just one day after technical details were released about a serious vulnerability in Wing FTP Server, attackers began actively exploiting it — trying to gain control over servers in the wild.

The flaw, officially tracked as CVE-2025-47812, allows hackers to remotely execute code without needing a password and with full system privileges (like root or SYSTEM access).

This vulnerability was discovered by security researcher Julien Ahrens, who published a detailed explanation on June 30. According to Ahrens, the problem lies in how usernames are handled improperly in C++ and how user input isn't cleaned up before being used in Lua scripts.

Here's what the attackers are doing:

  1. They send a fake login request with a special null byte in the username field.
  2. This produces an evil session file (.lua), which is subsequently run on the server.
  3. The Lua code in said file loads malware with native Windows utilities such as certutil, and executes it via cmd.exe.
  4. Once inside, attackers attempt to harvest information, spawn fake users, and steal data through the use of commands such as curl and webhooks.

Cybersecurity firm Huntress says that one of their customers was hit by an attacker using this exact method on July 1, just a day after the vulnerability was publicly disclosed.

According to Huntress, at least five different IP addresses targeted the same vulnerable server shortly after the exploit became known. That suggests this wasn’t an isolated case—it may be part of a larger wave of attacks by multiple hacker groups.

While the specific attack they witnessed failed (possibly blocked by Microsoft Defender or due to poor attacker execution), the intent and potential for damage were clear.

Researcher Julien Ahrens also disclosed three other vulnerabilities affecting Wing FTP Server versions 7.4.3 and below:

  • CVE-2025-27889: Lets hackers steal user passwords using a crafted URL
  • CVE-2025-47811: The server runs with maximum privileges by default, making any exploit more dangerous
  • CVE-2025-47813: Oversized cookies can leak file paths on the server

All of these have been patched in version 7.4.4, released on May 14, 2025 — except for one which was deemed less important.

If your organization uses Wing FTP Server, update immediately to version 7.4.4. This is the only way to fully protect against these exploits.

If updating isn’t possible right away, Huntress recommends:

  • Disabling HTTP/HTTPS access to the Wing FTP web portal
  • Blocking anonymous logins

Post a Comment

0 Comments