Multiple security firms have confirmed active exploitation of a newly disclosed vulnerability in Wing FTP Server.
Wing FTP Server is widely used by businesses, managed service providers, hosting companies, and organizations in need of secure file transfers. It's typically deployed to handle internal and external file sharing, automate workflows using Lua scripting, and support compliance through audit logging and access controls.
Threat actors have started taking advantage of the flaw just days after technical details and proof-of-concept (PoC) code were published online. Attackers were observed injecting malicious Lua code into Wing FTP Server session files through malicious login requests that include null bytes, allowing them to bypass authentication and execute commands with elevated privileges. This method allowed them to download malware, create persistent user accounts, and attempt installation of remote access tools like ScreenConnect.
Once the server processes these tampered sessions- often triggered by accessing specific web pages—the code runs automatically, giving attackers full control. This method is being actively used to deploy malware and establish persistent access.
The flaw, tracked as CVE-2025-47812, allows unauthenticated remote execution of malicious system commands on Wing FTP Server installations with root or SYSTEM privileges. Once exploited, threat actors can install malware, create persistent user accounts, exfiltrate sensitive data, and potentially lead to complete server takeover. It was rated with a maximum CVSS score of 10 out of 10.
The flaw affects all major operating systems supported by Wing FTP - Windows, Linux, and macOS, and researchers are reporting on over 8,000 internet-facing servers exposed online.
Wing FTP Server patched CVE-2025-47812 on May 14, 2025, with the release of version 7.4.4.
CVE-2025-47812 presents a high-fidelity path to full system compromise. Its low barrier to exploitation and wide exposure demand immediate patching, proactive threat hunting, and updates to detection rules. To mitigate CVE-2025-47812, ensure that all Wing FTP Server instances are upgraded to version 7.4.4. It's also essential to disable anonymous FTP access, audit session files for suspicious Lua code, and monitor server logs for signs of exploitation attempts. Proactive threat hunting and segmentation of FTP services can further reduce exposure and limit potential lateral movement.