Cybersecurity professionals at the Cybersecurity and Infrastructure Security Agency (CISA) have recently issued warnings regarding a high-severity flaw within the Wing FTP Server, known as CVE-2025-47812. This vulnerability is actively being exploited in the wild, posing serious consequences to users around the world. Specifically, the vulnerability impacts versions of the popular software before the newly patched 7.4.4 release that fixed the vulnerability.
Julien Ahrens, a researcher with RCE Security, offered an independent technical review of the vulnerability, demonstrating its highest calculated impact. Huntress, a cybersecurity intelligence firm, confirmed active exploitation in the wild. The initial complaint, filed on July 1, 2025, affected at least one customer. The specifics of this exploit were made public only a day before the initial attack. This exposure brought a new level of worry around the vulnerability’s exposure.
The defect is easily exploitable using anonymous FTP accounts, making it especially troubling for businesses that rely on this particular server. Huntress researchers noted, “CVE-2025-47812 stems from how null bytes are handled in the username parameter (specifically related to the loginok.html file, which handles the authentication process).” This improper neutrality further makes it possible for remote attackers to do Lua injection even after having used the null byte within the username parameter.
Furthermore, a CVE.org advisory stated, “The user and admin web interfaces mishandle ‘\0’ bytes, ultimately allowing injection of arbitrary Lua code into user session files.” Unfortunately, this critical oversight has resulted in widespread vulnerabilities across the country’s regions.
Most of the impacted Wing FTP Server instances are found in the US. It’s not just the United States – other countries are seeing high rates of vulnerability too. China and Germany have significant counts of impacted servers, as does the United Kingdom and India. As cybersecurity researchers watch the broader trend, the possibility for further exploitation looms as an alarming threat.
Censys.io gives hackers and businesses the tools to find the most vulnerable systems. Their search tool directly focuses on the hosts running the Wing FTP Server that are vulnerable to this exploit. Ongoing vigilance will be necessary as the cybersecurity community seeks to reduce risks posed by CVE-2025-47812.