![]() |
ftp server |
Critical Wing FTP Server Vulnerability (CVE-2025-47812) Actively Exploited in the Wild - CVE-2025-47812 is a critical Wing FTP Server vulnerability actively exploited in the wild. Learn how it works, risks, and how to protect your system with latest patch.
A high-severity vulnerability affecting Wing FTP Server is currently being actively exploited by malicious actors, according to cybersecurity firm Huntress. The flaw, identified as CVE-2025-47812 and carrying a CVSS score of 10.0, poses a serious threat due to its potential for unauthenticated remote code execution.
What is CVE-2025-47812?
CVE-2025-47812 is a critical security flaw caused by improper handling of null bytes ('\0') within server's web interface. This flaw allows attackers to inject arbitrary Lua code into session files, ultimately enabling remote code execution with privileges of FTP service — typically root or SYSTEM.
Issue was fixed in Wing FTP Server version 7.4.4, and users are strongly urged to update immediately
Exploitable Without Authentication
What makes this vulnerability particularly dangerous is that it can be exploited via anonymous FTP accounts, making it easier for attackers to gain access without credentials.
A full technical breakdown of issue was released in late June 2025 by security researcher Julien Ahrens from RCE Security, prompting widespread attention.
How Attackers Are Exploiting It
According to Huntress, threat actors have already been observed exploiting this vulnerability to:
- Download and execute malicious Lua scripts
- Perform system reconnaissance
- Attempt to install remote monitoring software
- Create new FTP users for persistence
- Drop a payload for installing ScreenConnect
Although installation of remote access software was intercepted before completion, first signs of exploitation were observed on July 1, 2025, just one day after public disclosure.
Over 8,000 Servers Exposed
Data from Censys reveals that there are currently 8,103 publicly accessible Wing FTP servers, with 5,004 exposing their web interface. The highest concentrations of these servers are found in United States, China, Germany, UK, and India.