Critical remote code execution flaw in Wing FTP Server actively exploited
Take action: One more reminder that this is an URGENT patch! If you're running Wing FTP Server (any version up to 7.4.3), update NOW, because hackers are already attacking your Wing FTP Server.
Learn More
Researchers from Huntress are reporting that the critical perfect 10 flaw in Wing FTP Server is now actively exploited in cyberattacks.
The vulnerability is tracked as CVE-2025-47812 (CVSS score 10.0) and is caused by Wing FTP Server's user and admin web interfaces mishandle "\0" (i.e., "null") bytes, which allows attackers to inject arbitrary Lua code into user session files.
The flaw can be exploited to execute arbitrary system commands with the highest privileges available to the FTP service, which by default runs as root on Linux systems and NT AUTHORITY/SYSTEM on Windows systems. A
According to Huntress researchers, they first observed exploitation on a customer on July 1, 2025. The exploitation campaign involve several different attackers, who connect to the victim's machine from different IP addresses, perform reconnaissance, create new users for persistence, and try to download and run malicious batch files and the ScreenConnect remote monitoring and management software.
The attackers had varying levels of technical competence, some making fundamental errors in their command execution but others were advanced.
The vulnerability affects Wing FTP Server versions prior to 7.4.4. According to Censys, there are roughly 8,103 internet-accessible Wing FTP Servers, and 5,004 of them are exposing their web interfaces. These 5000 are immediate targets for exploitation, since the vulnerability is triggered through malicious HTTP POST requests to the web interface.
Organizations should upgrade their Wing FTP servers to version 7.4.4 and isolate the web interface from the internet if not needed, or at least until the system is patched.
