Hackers have been exploiting a critical-severity vulnerability within the Wing FTP Server file switch answer to execute arbitrary code remotely, after technical info on the flaw was printed on June 30, safety researchers warn.
Tracked as CVE-2025-47812, the vital challenge is described because the mishandling of null bytes, which permits attackers to inject arbitrary Lua code in consumer session information, resulting in the execution of arbitrary instructions with root or system privileges.
Profitable exploitation of the bug may doubtlessly result in full server compromise by means of the distant execution of arbitrary code. Whereas authentication is required, menace actors can even exploit the defect utilizing an nameless FTP account, which doesn’t require a password however is disabled by default.
“When exploiting the vulnerability, a particular set of characters is inserted into the username, bypassing string processing throughout login. This flaw permits menace actors to inject arbitrary Lua code into the applying, which is executed upon visiting particular pages,” Arctic Wolf explains.
CVE-2025-47812 impacts Wing FTP Server iterations as much as model 7.4.3, and was resolved in model 7.4.4 of the file switch device, which was launched on Might 14.
On June 30, nevertheless, Julien Ahrens of RCE Safety printed technical info and a PoC exploit for the vulnerability, and hackers began focusing on it within the wild the subsequent day, Huntress reviews.
“[Wing FTP] periods usually retailer the consumer’s present listing, IP handle, and username. By making the most of the null-byte injection, the adversary disrupts the anticipated enter within the Lua file which shops these session traits,” the safety agency notes.
Huntress, which additionally created a PoC exploit focusing on the flaw, says indicators of compromise (IoCs) could be discovered within the Wing FTP set up folder, in logs inside the ‘Area’ listing.Commercial. Scroll to proceed studying.
The safety agency says it has noticed menace exercise in opposition to a single buyer as of July 8, with the attackers making an attempt to fetch and run arbitrary information, fingerprint the system, and deploy instruments for distant entry.
In keeping with Censys, nevertheless, there are roughly 8,103 internet-accessible Wing FTP Servers, with 5,004 of them exposing their net interfaces. They’re doubtlessly vulnerable to exploitation, because the PoC exploit for CVE-2025-47812 makes use of a POST request.
Associated: Grafana Patches Chromium Bugs, Together with Zero-Day Exploited within the Wild
Associated: CISA Warns of Two Exploited TeleMessage Vulnerabilities
Associated: Hundreds of Citrix NetScaler Cases Unpatched In opposition to Exploited Vulnerabilities
Associated: Vital Citrix NetScaler Flaw Exploited as Zero-Day
