- The computer pirates launched attacks one day after the complete technical article of the fault was made public.
- Many servers remained vulnerable for weeks even though a solution was launched long before the dissemination
- Null bytes injection in the user name field allows attackers to omit the login and execute the LUA code
Security researchers have confirmed that attackers are actively exploiting critical vulnerability on the FTP Wing server, a widely used solution to manage file transfers.
Huntress researchers say that the defect identified as CVE-2025-47812 was publicly revealed on June 30, and the exploitation began almost immediately, only one day later.
This vulnerability allows the execution of non -authenticated remote code (RCE), which allows attackers to execute code as root or system on vulnerable servers.
The wing ftp server is still vulnerable in unconadened systems
Wing FTP Server is implemented in business and SMB environments, and is used by more than 10,000 organizations worldwide, including high profile clients such as Airbus, PakGazette and the United States Air Force.
Vulnerability exists in versions 7.4.3 and previous and has been paved in version 7.4.4, which was launched on May 14, 2025.
Although the solution is available for more than a month, many users remained without patches when technical details were made public.
Security researcher Julien Ahrens explained that the problem comes from inadequate input disinfection and insecure handling of null ropes.
The weakness allows a null byte injected into the user name field omits authentication and insert the malicious Lua code into the session files.
These files, when the server deserializes, activate the execution of the code at the highest system level.
An attacker created malicious session files that used certutil and CMD.exe to obtain and execute remote loads.
Although the attack was not successful, thanks in part to the Microsoft defender, the investigators noticed that the intruders tried to increase privileges, recognize and create new users to maintain persistence.
According to reports, another attacker had to look for how to use Curl Mid-Attack, and one even involved a second part during the operation.
This shows the persistence of the attackers who are probably scanning for exposure FTP instances, including those that execute obsolete versions.
Even if the attackers lacked sophistication, vulnerability is still very dangerous.
The researchers recommend updating to version 7.4.4 immediately, but where the updates are not possible, disable access to HTTP/s, eliminate anonymous login options and monitor session file directories are essential mitigation steps.
Three additional vulnerabilities were reported: a password exfiltration that enables JavaScript, another system exposure through a cookie too long and a third that highlights the lack of server sandboxing.
While these represent serious risks, CVE-2025-47812 has received the highest gravity rating due to its complete commitment potential.
Through the registration and bleepingcomer
