- The pirates launched attacks one day after the complete technical writing of the defect was made public
- Many servers have remained vulnerable for weeks despite a corrected correction long before disclosure
- The injection of zero bytes in the field of username allows attackers to bypass the connection and execute the Lua code
Security researchers have confirmed that attackers actively exploit critical vulnerability in the FTP Wing server, a widely used solution to manage file transfers.
Huntress researchers say that the flaw identified as CVE-2025-47812 was publicly disclosed on June 30, and the exploitation started almost immediately, just a day later.
This vulnerability allows the execution of non -authenticated remote code (RCE), allowing attackers to execute code such as root or system on vulnerable servers.
The FTP Wing server remains vulnerable in unresalized systems
The WING FTP server is deployed in corporate and SMB environments, and it is used by more than 10,000 organizations worldwide, including high -level customers such as IIRBUS, REUTERS and the US AIR FORCE.
Vulnerability exists in versions 7.4.3 and earlier and was corrected in version 7.4.4, which was published on May 14, 2025.
Although the fix is available for more than a month, many users have remained unlike when the technical details were made public.
Security researcher Julien Ahrens, explained that the problem stems from the disinfection of incorrect inputs and the dangerous handling of zero termination chains.
The weakness allows a zero byte injected in the field of user name to bypass authentication and to insert malicious LUA code into the session files.
These files, when they are derived by the server, trigger the execution of the code at the highest system.
An attacker created malicious session files that used Certil and CMD.exe to recover and execute remote loads.
Although the attack finally failed, thanks in part to Microsoft Defender, the researchers noted that the intruders were trying to degenerate privileges, carry out recognition and create new users to maintain persistence.
Another striker should have been looking for how to use Curl mid-attack, and even a second part during the operation.
This shows the persistence of attackers who probably scramble for FTP bodies with exposed wings, including those that perform obsolete versions.
Even if the attackers lacked sophistication, vulnerability remains very dangerous.
Researchers recommend switching to version 7.4.4 immediately, but when updates are not possible, deactivate HTTP / S access, the deletion of anonymous connection options and surveillance session files are essential mitigation stages.
Three additional vulnerabilities have been reported: one allowing password exfiltration via JavaScript, another of the system exposing via a too long cookie and a third highlighting the server’s lack of sand.
Although these pose serious risks, CVE-2025-47812 has received the highest gravity rating due to its complete compromise potential of the system.
Via the register and bleeping computer
