A critical vulnerability in Wing FTP Server, tracked as CVE-2025-47812, is being actively exploited in the wild, posing a severe threat to systems running versions prior to 7.4.4. This flaw, which has been assigned a maximum CVSS score of 10, allows attackers to execute arbitrary system commands with the privileges of the FTP service, typically root or SYSTEM.
The vulnerability arises from improper handling of '\0' bytes in the user and admin web interfaces, which can lead to the injection of arbitrary Lua code into user session files. This code injection can be leveraged to execute commands on the host system, effectively granting attackers full control over the affected server.
The urgency of addressing this vulnerability is underscored by its inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog on July 14, 2025, just four days after its initial disclosure. The rapid exploitation timeline, with attacks occurring within four days of disclosure, highlights the critical nature of this flaw. The Exploit Prediction Scoring System (EPSS) assigns it a high likelihood of exploitation at 0.925, further emphasizing the risk.
Security researchers have identified at least two distinct exploits in the wild, with 18 proof-of-concept (PoC) exploits available, making it relatively easy for attackers to replicate and deploy attacks. The vulnerability's exploitation has been confirmed by multiple security firms, who have observed active campaigns targeting vulnerable Wing FTP Server instances.
Administrators are urged to upgrade to Wing FTP Server version 7.4.4 or later, where the vulnerability has been patched. Given the critical nature of this flaw and its active exploitation, immediate action is recommended to mitigate potential breaches. Organizations should also review their systems for signs of compromise, particularly if they have been running vulnerable versions of the software.
In addition to patching, security teams should monitor network traffic for unusual activity that may indicate exploitation attempts. Implementing additional security measures, such as network segmentation and strict access controls, can help limit the impact of any successful exploitation.
As attackers continue to exploit this vulnerability, it serves as a stark reminder of the importance of timely patch management and the need for robust security practices to protect critical infrastructure from emerging threats.
CSURFACE