Redazione RHC : 12 July 2025 18:12
Huntress researchers have detected active exploitation of a critical vulnerability in Wing FTP Server, just one day after its public disclosure. The vulnerability CVE-2025-47812 has been assigned the highest severity rating (CVSS 10.0), because it allows remote execution of arbitrary code on a vulnerable server. The issue was discovered and reported by RCE Security specialists, but they only published the technical details on June 30, more than a month after the patch was released.
Wing FTP Server is a popular cross-platform file transfer solution that supports FTP, FTPS, SFTP, and HTTP/S protocols. According to the developers, the program is used by over 10,000 clients worldwide, including Airbus, Reuters, and the U.S. Air Force. The vulnerability affects the username handling mechanism in the Wing FTP web interface. When a username containing a null byte ( ) is passed, everything that follows is interpreted as Lua code. This code is saved in the session file and then executed during deserialization, allowing an attacker to gain full control of the server.
According to Huntress, the first attacks began on July 1, less than 24 hours after the vulnerability was disclosed. The attackers clearly relied on published technical information. Initially, researchers recorded three connections to the victim’s server, after which a fourth attacker emerged, actively scanning the file system, creating new users and attempting to infiltrate the system. However, their actions revealed a low level of preparation: the commands contained errors, PowerShell crashed, and an attempt to download a Trojan failed—the file was intercepted by Microsoft Defender. Log analysis showed that at one point, the attacker even attempted to search the Internet for how to use the curl utility and then, presumably, asked for help: a fifth participant connected to the server.
After several failed attempts, the attacker attempted to upload a malicious file, but the server crashed shortly thereafter, and the organization quarantined it, preventing further action. Despite the ineffectiveness of the attack, Huntress warns that the CVE-2025-47812 vulnerability is actively exploited and poses a real threat. Researchers strongly recommend that all Wing FTP users update to version 7.4.4, which contains the fix.
The incident also highlighted the vulnerabilities of legacy protocols. FTP was created in the 1970s, and security was not a priority at the time. Although Wing FTP supports more secure protocols such as SFTP and MFT, these are only available in commercial versions. Many modern projects such as Chrome, Firefox, and Debian have long since abandoned support for FTP, reflecting a general change in attitude toward the protocol in professional circles.
Redazione