Governance & Risk Management
,
Remote Workforce
,
Vulnerability Assessment & Penetration Testing (VA/PT)
Remote Code Execution Flaw Affects More Than 5,000 Servers
Threat actors are exploiting a critical-severity vulnerability in a server file transfer solution to execute arbitrary code remotely with root and system privileges.
First disclosed by researcher Julien Ahrens of RCE Security on June 30, the flaw – tracked as CVE-2025-47812 – in Wing FTP Server, stems from improper handling of � – null bytes in Wing FTP’s web interface. According to the CVE advisory, the vulnerability affects versions before 7.4.4 and carries a maximum CVSS score of 10.0, underscoring its severity and ease of exploitation.
“This can be used to execute arbitrary system commands with the privileges of the FTP service, root or system by default,” the CVE entry says.
Huntress observed active exploitation of the flaw on July 1, just one day after the technical disclosure. Attackers used a crafted username with a null byte to bypass the authentication process and inject malicious Lua code into server session files. These session files, once processed during legitimate page loads such as /dir.html, are automatically executed, resulting in remote code execution.
The injected Lua payload often takes the form of a downloader script using system commands such as certutil to retrieve malware from external servers. In one example, the payload attempted to download a beacon from an attacker-controlled server.
Microsoft Defender blocked the downloaded file, identified as Trojan:Win32/Ceprolad.A and subsequently terminated the Wing FTP Server process, disconnecting the attacker.
According to Censys, 8,103 Wing FTP servers are exposed to the internet globally, of which 5,004 have accessible web interfaces. The majority of servers are hosted in the United States, China, Germany, the United Kingdom and India, making these countries the most affected by potential exploitation.
Security researcher Ahrens said the flaw originates from how Wing FTP’s authentication function c_CheckUser parses usernames. By inserting a null byte in the username string, attackers trick the server into validating partial usernames. Because the unsanitized username is later written to session files as Lua code, this leads to command injection when those files are read.
After injecting Lua code into the session file, the code is executed with system or root privileges, depending on the operating system, Ahrens said. Wing FTP runs with elevated privileges by default and lacks sandboxing or privilege-dropping protections, amplifying the effect of the flaw.
Arctic Wolf warned that given the public availability of proof-of-concept code and technical breakdowns, attackers will likely to continue targeting unpatched systems. The company confirmed that exploitation has included downloading malicious payloads, running reconnaissance commands whoami, ipconfig and even attempting to install remote management tools like ScreenConnect.
Wing FTP Server users are urged to upgrade to version 7.4.4 immediately. Arctic Wolf emphasized that even if anonymous login is disabled, any valid user credentials – including weak passwords – could be used to trigger the vulnerability.
Organizations should examine their session file directories and Wing FTP logs for suspicious entries and investigate any anomalous user accounts such as wing or wingftp that may have been created for persistence during exploitation attempts.