Wing FTP Server Vulnerability (CVE-2025-47812)

On July 7, 2025, a critical vulnerability in Wing FTP Server was actively exploited in the wild. Identified as CVE-2025-47812 and carrying a maximum CVSS score of 10.0, the flaw allows unauthenticated attackers to execute arbitrary system commands through the product’s web interface. Security researcher Julien Ahrens discovered the issue, which originates from improper null byte handling. Public proof-of-concept (PoC) code released in late June accelerated exploitation.

Attackers exploited the vulnerability using anonymous FTP accounts to deploy malicious Lua scripts, leading to remote code execution (RCE) with system-level privileges. The vulnerability affected multiple organizations across industries running vulnerable Wing FTP Server versions.

Date of Incident: July 7, 2025
Vulnerability ID: CVE-2025-47812
CVSS Score: 10.0 (Critical)

Explanation

The vulnerability stems from the server’s failure to sanitize null (\0) bytes in HTTP requests processed by its web interface. Attackers crafted POST requests targeting login endpoints such as /admin_login.lua, embedding Lua code within session files. Due to default configurations, these scripts were executed with root or SYSTEM privileges.

This attack vector allowed full system compromise using minimal privileges. The presence of a public PoC contributed to widespread exploitation across unpatched servers.

Impact

System Compromise: Remote code execution enabled attackers to take full control of vulnerable systems.

Data Breach: Some organizations reported exfiltration of sensitive internal data.

Service Disruption: Affected servers experienced outages and performance degradation.

Widespread Risk: Thousands of internet-facing Wing FTP instances were at immediate risk.

MITRE ATT&CK Mapping

Tactic: Initial Access (TA0001): T1190 – Exploit Public-Facing Application (via web interface)

Tactic: Execution (TA0002): T1059.003 – Command and Scripting Interpreter: Lua (executed Lua payload)

Tactic: Privilege Escalation (TA0004): T1068 – Exploitation for Privilege Escalation (root or SYSTEM execution)

Tactic: Impact (TA0040): T1496 – Resource Hijacking (potential misuse for cryptomining)

IOCs

Domains: None publicly disclosed

IP Addresses: 203.0.113.45 (example attacker IP)

File Hashes: None specific disclosed; malicious Lua scripts observed

File Names: session_tmp.lua

Log Artifacts

Jul 07 2025 09:22:17 [Web-Server] POST /admin_login.lua HTTP/1.1 from 203.0.113.45
Jul 07 2025 09:22:18 [Web-Server] Error: Invalid null byte in request
Jul 07 2025 09:22:19 [System] Command executed: whoami

Payload Analysis

— Malicious Lua script
os.execute(“whoami > /tmp/compromised.txt”)

Remediation

Vendor Patch Guidance: Upgrade immediately to Wing FTP Server version 7.4.4 or later, which addresses the vulnerability.

Temporary Mitigations: Disable anonymous FTP access. Restrict access to the web interface to trusted IP ranges.

Known Workarounds: Apply WAF rules to detect and block null byte injections in HTTP requests.

Threat Hunting Recommendations

Log Correlation: Monitor for suspicious POST requests to /admin_login.lua or /user_login.lua that include null bytes in the payload.

Sigma Rule:

title: Wing FTP Server Null Byte Injection
id: b2c3d4e5-f6a7-8901-bcde-234567890123
status: experimental
description: Detects null byte injection attempts targeting login endpoints
logsource:
category: web
product: wing_ftp
detection:
selection:
cs-method: POST
cs-uri-stem|contains: “/login.lua”
cs-bytes|contains: “\0”
condition: selection
level: critical

Anomalous Traffic: Watch for unauthorized Lua script execution and new outbound traffic patterns indicative of command-and-control behavior.

Takeaway for CISOs

The CVE-2025-47812 incident highlights the importance of proactive vulnerability and patch management. Delays in applying critical security updates—even by days—can leave organizations open to automated, large-scale exploitation. CISOs must enforce structured patching processes, monitor public exploit releases, and perform real-time risk assessments of internet-facing applications.

How FireCompass Can Help

FireCompass continuously monitors your external attack surface using its Continuous Automated Red Teaming (CART) platform. It identifies and prioritizes exploitable vulnerabilities like CVE-2025-47812 across your environment before attackers can act.

FireCompass helps security teams:

• Detect exposed services
• Emulate real-world exploits mapped to MITRE ATT&CK
• Uncover anonymous FTP exposure and admin interface attack paths
• Prioritize remediation based on exploitability and impact

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
Start Free Trial