Hackers have started to exploit a critical remote code execution vulnerability in Wing FTP Server just one day after technical details on the flaw became public.
The observed attack ran multiple enumeration and reconnaissance commands followed by establishing persistence by creating new users.
The exploited Wing FTP Server vulnerability is tracked as CVE-2025-47812 and received the highest severity score. It is a combination of a null byte and Lua code injection that allows remote a unauthenticated attacker to execute code with the highest privileges on the system (root/SYSTEM).
Wing FTP Server is a powerful solution for managing secure file transfers that can execute Lua scripts, which is widely used in enterprise and SMB environments.
On June 30, security researcher Julien Ahrens published a technical write-up for CVE-2025-47812, explaining that the flaw stems from unsafe handling of null-terminated strings in C++ and improper input sanitization in Lua.
The researcher demonstrated how a null byte in the username field could bypass authentication checks and enable Lua code injection into session files.
When those files are subsequently executed by the server, it is possible to achieve arbitrary code execution as root/SYSTEM.
Along with CVE-2025-47812, the researcher presented another three flaws in Wing FTP:
CVE-2025-27889 – allows exfiltrating user passwords via a crafted URL if the user submits a login form, due to unsafe inclusion of the password in a JavaScript variable (location)
CVE-2025-47811 – Wing FTP runs as root/SYSTEM by default, with no sandboxing or privilege drop, making RCEs far more dangerous
... continue reading