Hackers have started taking advantage of an important remote code execution vulnerability in the Wing FTP server, when technical details on the defect have become public.
The attack seen ran many calculations and reconnaissance commands, after which firmness was established by creating new users.
The exploited wing has been tracked as FTP server vulnerable Cve-2025-47812 And obtained the highest severity score. It is a combination of an disabled bite and lua code injection that allows a remote remote to an informal attacker to execute the code with the highest privileges on the system (root/system).
Wing FTP server is a powerful solution for managing safe file transfer that can execute the LUA script, which is widely used in enterprise and SMB environment.
On June 30, security researcher Julian Ahrens published Technical Writing for CVE-2025-47812Stating that the defect c ++ stems from unprotected handling of disabled-torrentized strings and improper input sanitization in Lua.
The researcher displayed how the user name can bypass an disabled byte certification check in the area and enable LUA code injections in sessions files.
When those files are later executed by the server, it is possible to achieve arbitrary code execution in the form of root/system.
With CVE-2025-47812, the researcher presented another three flaws in Wing FTP:
- Cve-2025-27889 – If the user submits the login form to the user due to the inclusion of a password in a JavaScript variable (location), the user allows the password to exfiltrate through a ready URL.
- Cve-2025-47811 – Wing FTP default runs as a root/system, with no sandboxing or privilege drop, which is more dangerous RCE is.
- Cve-2025-47813 – The supply of file system reveals from the supply of an overlaying UID cookie
All flaws impressed the Wing FTP versions 7.4.3 and before that. The seller set the issues by releasing version 7.4.4 on May 14, 2025 except CVE -2025–47811, which was considered insignificant.
Researchers of managed cyber security platform Hunnres hazard made a proof-of-concept exploitation for CVE-2025-47812 and showed in the video below show how hackers can take advantage of it in the attacks:
https://www.youtube.com/watch?v=ur79s5nnlzs
Researchers at Huntress found that on 1 July, a day after technical details for CVE-2025–47812, at least one attacker exploited vulnerability among one of his customers.
The attacker sent deformed login requests with disabled-by-injected user names, targeting ‘Loginok. Haml’. These inputs created a malicious session. Lua files that inject Lua code into the server.
The injected codes were designed to a payload-dicode to hex-dicode and were executed via CMD.Exe, using a certificate to download and execute the malware from a remote location.
Hunt They say The same wing FTP example was targeted by five different IP addresses within a short time limit, which potentially reflects large-scale scanning and exploitation efforts by several danger actors.
The orders seen in these efforts were for reconnaissance, gaining perseverance in the environment, and using data exfIs Karl Tool and webhook and opin.
The hacker thwarted the attack “probably because of his unfamiliarity with him, or because Microsoft defender shut down the part of his attack,” says Huntress. Nevertheless, the researchers visited the clear exploitation of the important wing FTP server vulnerable.
Even if Huntress observed unsuccessful attacks on its customers, hackers are likely to scan for the available wing FTP examples and try to take advantage of the weak server.
Companies are strongly advised to upgrade the product version 7.4.4 as soon as possible.
If it is not possible to switch to a new, safe version, the researchers recommend HTTP/HTTPS access to wing FTP web portal to disable or restrict, disable anonymous login, and monitor the session directory for suspected additions.
While cloud attacks can be more sophisticated, the attackers still succeed with surprisingly simple techniques.
Drawing by the detection of Vij in thousands of organizations, this report reveals the 8 major techniques used by Claude-Floid danger actors.
