BleepingComputer reports that intrusions leveraging the maximum severity Wing FTP Server remote code execution flaw, tracked as CVE-2025-47812, have commenced a day after the release of public details regarding the security defect, which security researcher Julien Ahrens noted to have resulted from improper Lua input sanitization and unsafe null-terminated string management.
Attackers have exploited the flaw by delivering malformed login requests with null-byte-injected usernames meant to establish malicious session .lua files that installed code eventually resulting in the retrieval and execution of malware, according to an analysis from Huntress researchers. While five different IP addresses have been used to infiltrate the targeted Wing FTP Server, threat actors were not able to conduct a successful compromise likely due to the intervention of Microsoft Defender or their lack of knowledge. Such a bug was reported by Ahrens alongside three other Wing FTP issues, all of which impact Wing FTP versions 7.4.3 and earlier. Immediate application of Wing FTP version 7.4.4 has been urged.
Attackers have exploited the flaw by delivering malformed login requests with null-byte-injected usernames meant to establish malicious session .lua files that installed code eventually resulting in the retrieval and execution of malware, according to an analysis from Huntress researchers. While five different IP addresses have been used to infiltrate the targeted Wing FTP Server, threat actors were not able to conduct a successful compromise likely due to the intervention of Microsoft Defender or their lack of knowledge. Such a bug was reported by Ahrens alongside three other Wing FTP issues, all of which impact Wing FTP versions 7.4.3 and earlier. Immediate application of Wing FTP version 7.4.4 has been urged.
