Security researchers at Huntress have confirmed active exploitation of a critical remote code execution vulnerability in Wing FTP Server, designated CVE-2025-47812, occurring just one day after its public disclosure.
This rapid weaponization of the vulnerability demonstrates the urgent need for organizations to update their systems immediately to prevent potential compromise.
Zero-Day Window Exploitation
The vulnerability, first publicly disclosed on June 30, 2025, by security researcher Julien Ahrens, affects all versions of Wing FTP Server prior to 7.4.4.
Huntress security teams detected the first exploitation attempt on July 1, 2025, at 16:15 UTC, marking an extremely short window between disclosure and active attacks.
This timeline underscores the sophisticated nature of modern threat actors who can quickly develop and deploy exploits for newly disclosed vulnerabilities.
CVE-2025-47812 is classified as a null byte and Lua injection flaw that enables attackers to achieve root or SYSTEM-level remote code execution.
The vulnerability stems from improper handling of null bytes in the username parameter, specifically within the loginok.html file that manages the authentication process.
This flaw allows remote attackers to inject malicious Lua code after inserting a null byte in the username field, effectively bypassing security controls and executing arbitrary commands on the target system.
Wing FTP Server, a popular file transfer protocol software supporting Windows, Linux, and macOS platforms, serves as a critical component in many organizations’ file sharing infrastructure.
The widespread deployment of this software makes the vulnerability particularly concerning for enterprise environments where file transfer services are essential for business operations.
Sophisticated Attack Chain
The exploitation observed by Huntress researchers demonstrates a multi-stage attack methodology that reveals both the sophistication of the threat actors and some operational security mistakes.
The attack begins with a specially crafted POST request to the loginok.html endpoint, where attackers use either known credentials or anonymous accounts to establish a session.
The malicious payload includes a null byte (%00) to break string processing, followed by carefully constructed Lua code designed to execute system commands.
Analysis of the compromised system revealed that multiple threat actors attempted to exploit the vulnerability throughout the day, with at least five different IP addresses involved in the attacks.
The threat actors employed various techniques and demonstrated varying levels of competency:
- Reconnaissance Activities: Executed system information gathering commands, including
ipconfig,whoami,arp -a, andnslookupto map the target environment. - Persistence Attempts: Created new user accounts with usernames “wingftp” and “wing,” using weak passwords that follow predictable patterns like “123123qweqwe.”
- Remote Access Tool Deployment: Attempted to install ScreenConnect remote management software to maintain persistent access to the compromised system.
- Malware Distribution: Tried to download and execute malicious payloads using certutil commands, demonstrating familiarity with living-off-the-land techniques.
- Operational Errors: Made several technical mistakes, including malformed commands and typos that hindered their attack progression and revealed their varying skill levels.
Indicators of Compromise (IOCs):
| Item | Description |
|---|---|
223.160.131[.]104 | 1st Attacker IP |
149.248.44[.]88 | 2nd Attacker IP |
103.88.141[.]42 | 3rd Attacker IP |
185.196.9[.]225 | 4th (Bumbling) Attacker IP |
146.70.11[.]39 | 5th Attacker IP |
https://webhook[.]site/5d112487-6133-4942-ac87-3f473d44bd81 | Webhook site |
123123qweqwe | Password used for attacker accounts |
123123qweqweq | Password used for one attacker account |
wing | Backdoor username created by attacker |
wingftp | Backdoor username created by attacker |
http://185.196.9[.]225:8080/EOp45eWLSp5G5Uwp_yOCiQ %TEMP%\\mvveiWJHx.exe | Beacon URL |
%TEMP%\mvveiWJHx.exe | Beacon file path |
c637ec00bd22da4539ec6def89cd9f7196a303d17632b1131a89d65e4f5698f4 | Beacon SHA256 |
Trojan:Win32/Ceprolad.A | Microsoft Defender detection |
https://oooooooo11.screenconnect[.]com/bin/screenconnect.clientsetup.msi | ScreenConnect installer URL |
c:\1.msi | ScreenConnect installer path |
f0fcc638cd93bdd6fb4745d75b491395a7a1b2cb08e0153a2eb417cb2f58d8ac | ScreenConnect installer SHA256 |
instance-y9tbyl-relay.screenconnect[.]com | ScreenConnect callback URL |
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
