Global Exploitation of Wing FTP Vulnerability Underway

A significant vulnerability has been identified in the Wing FTP Server, with malicious actors leveraging this flaw to conduct remote code execution with elevated privileges. The vulnerability allows attackers to execute arbitrary code, resulting in critical risks to affected systems.

This flaw, discovered by security researcher Julien Ahrens from RCE Security, is documented under the identifier CVE-2025-47812 and relates to improper handling of null bytes in the server’s web interface. The vulnerability impacts all versions prior to 7.4.4 and is rated with a maximum CVSS score of 10.0, highlighting its gravity and potential for exploitation.

The vulnerability permits attackers to bypass authentication by crafting usernames that include null bytes, enabling them to execute system commands with the privileges of the FTP service by default. This demonstrates a clear risk associated with the server’s authentication method.

Huntress reported the active exploitation of this vulnerability shortly after its public disclosure, with attackers employing injected Lua code into server session files. These files, processed during standard operations, automatically execute malicious payloads, facilitating unauthorized access.

The injected scripts often act as downloaders, leveraging system commands to fetch malware from external servers. One known payload attempted to retrieve a beacon from a compromised server, indicating the malicious intent behind these exploitations.

Research from Censys indicates that a total of 8,103 Wing FTP servers remain exposed to the internet, with 5,004 having web interfaces that are accessible. The countries hosting the majority of these servers include the United States, China, Germany, the United Kingdom, and India, placing businesses in these regions at heightened risk.

Experts highlight that the vulnerability arises from the server’s inadequate parsing of usernames, allowing partial validation when a null byte is inserted. This unsanitized data, later incorporated into session files as Lua code, brings about command injection vulnerabilities when read back.

Given the public availability of proof-of-concept code, the likelihood of continued targeting of unpatched systems is high. Attacks have been noted to extend beyond mere reconnaissance, as they involve executing commands like whoami and ipconfig, and attempting the installation of remote management tools.

Organizations using Wing FTP Server are strongly advised to upgrade to version 7.4.4 without delay. It is essential to note that even if anonymous logins are turned off, valid credentials can still be exploited, emphasizing the need for strong password practices.

As a precaution, businesses should thoroughly investigate their session file directories and Wing FTP logs for unusual entries, particularly for user accounts like “wing” that could indicate ongoing exploitation attempts.