Wing FTP Server RCE Flaw Still Exploited Eight Months After Patch

CISA issued a fresh advisory today urging organizations to patch Wing FTP Server instances against CVE-2025-47812, a critical remote code execution vulnerability that attackers continue to exploit more than eight months after a patch became available.

The vulnerability carries a maximum CVSS score of 10.0 and allows attackers to execute arbitrary commands with root privileges on Linux or NT AUTHORITY\SYSTEM on Windows. Despite remediation being available since May 2025, thousands of servers remain vulnerable.

How the Attack Works

CVE-2025-47812 exploits improper handling of null bytes in the username parameter during login. When an attacker supplies a null byte in the username field, Wing FTP's C++ authentication routine validates only the prefix before the null byte, while the full string—including injected Lua code—gets written unfiltered into session files.

These malicious session files are then executed when authenticated functionalities are accessed, granting attackers command execution with elevated privileges. The flaw is particularly dangerous because anonymous FTP accounts, if enabled, can trigger the exploit without any valid credentials.

According to Censys advisory data, over 8,103 Wing FTP Server instances remain exposed on the internet, with 5,004 displaying vulnerable web interfaces. The Shadowserver Foundation reported approximately 2,000 exposed instances globally, with heavy concentrations in the United States and Europe.

High-Profile Users at Risk

Wing FTP Server claims more than 10,000 customers worldwide, including major organizations like the U.S. Air Force, Sony, Airbus, Reuters, and Sephora. File transfer servers often handle sensitive data and operate in privileged network positions, making them attractive targets—a pattern we've seen repeatedly with authentication bypass flaws in network appliances.

Exploitation Timeline

Security researcher Julien Ahrens published technical details about the vulnerability on June 30, 2025. Within 24 hours, Huntress researchers observed active exploitation against customer systems.

"They seemed to be feeling out what they could actually do with this vulnerability, but it didn't appear to be organized in any way," said Jamie Levy, Huntress director, describing the initial attack behavior. Arctic Wolf researchers documented attackers attempting to download malicious files, conduct reconnaissance, and install remote monitoring tools on compromised systems.

CISA added CVE-2025-47812 to its Known Exploited Vulnerabilities catalog on July 14, 2025, giving federal civilian agencies until August 4, 2025 to remediate. Today's renewed advisory suggests many organizations still haven't complied.

Why Servers Remain Unpatched

File transfer infrastructure often becomes "set and forget" technology. Organizations deploy these servers, configure them for business partners, and rarely revisit them unless something breaks. This pattern creates persistent security blind spots similar to what we covered in CISA's warning about MongoDB instances remaining vulnerable despite clear exploitation.

Wing FTP Server runs with root or SYSTEM privileges by default and lacks protections like privilege dropping, sandboxing, or jailing. This design choice means any compromise grants immediate full system access.

Mitigation Steps

Organizations running Wing FTP Server should take immediate action:

1. Update to version 7.4.4 or later — This is the only complete fix
2. Disable anonymous FTP access — Reduces attack surface if patching isn't immediately possible
3. Monitor for indicators of compromise — Check session files for unexpected Lua code
4. Restrict network access — Limit which IP ranges can reach the server's web interface

A public proof-of-concept exploit is available on GitHub, lowering the barrier for less sophisticated attackers. Organizations that haven't patched should assume they may already be compromised and conduct forensic review.

Why This Matters

File transfer vulnerabilities have become a favorite target for ransomware groups and nation-state actors. The GNU Wget2 path traversal vulnerability and numerous MOVEit, GoAnywhere, and Accellion compromises demonstrate how attackers weaponize these flaws for data theft and extortion.

CISA's decision to re-emphasize this eight-month-old vulnerability signals continued exploitation attempts. Security teams should treat legacy file transfer infrastructure as high-priority remediation targets before attackers find them first.