The widely used Wing FTP Server has been targeted by active exploitation of critical vulnerabilities, demanding immediate attention from administrators. Two key vulnerabilities, CVE-2025-47812 and CVE-2025-5196, have been identified, requiring urgent patching and security enhancements.

CVE-2025-47812: Remote Code Execution Vulnerability

This critical vulnerability, CVE-2025-47812, allows remote attackers to execute arbitrary code on affected Wing FTP Servers. Discovered by Julien Ahrens of RCE Security and publicly disclosed on June 30th, 2025, this flaw stems from improper handling of null bytes in the username parameter during the authentication process, specifically impacting the /loginok.html endpoint. This allows for Lua code injection into session files, which are subsequently executed with root (Linux) or SYSTEM (Windows) privileges.

Huntress security researchers reported observing active exploitation of this vulnerability in the wild as early as July 1st, 2025. The exploitation involves inserting a special character sequence into the username field, bypassing standard string processing during login. Successful exploitation grants the attacker complete control over the server, enabling actions such as downloading and executing malicious files, performing reconnaissance, and installing remote monitoring and management (RMM) software – potentially leading to data breaches and ransomware deployment.

The vulnerability affects Wing FTP Server versions prior to 7.4.4. The affected versions run the FTP server process, WFTPServer.exe, which can be identified in the task manager. Evidence of exploitation can be found in log files within the "Domain" folder, specifically in files named with the YYYY-M-D.log format. These logs are separated by domain name, so the subdirectory will vary.

Mitigation for CVE-2025-47812

The only effective mitigation for CVE-2025-47812 is upgrading to Wing FTP Server version 7.4.4 or later. This update addresses the null byte handling flaw and prevents the Lua code injection. Immediate patching is crucial to prevent exploitation.

CVE-2025-5196: Unnecessary Privileges in Lua Admin Console

Another vulnerability, CVE-2025-5196, has been identified in Wing FTP Server versions up to 7.4.3. This vulnerability, classified as critical, involves the Lua Admin Console and grants unnecessary privileges due to insufficient input validation. While the vendor argues this isn't a security vulnerability because system administrators already have full permissions, running the WingFTP service as a normal user rather than SYSTEM/Root is strongly recommended as a mitigation strategy. This vulnerability affects the confidentiality, integrity, and availability of the system.

Mitigation for CVE-2025-5196

The recommended mitigation for CVE-2025-5196 is to upgrade to Wing FTP Server version 7.4.4 or later. Additionally, changing the service account to a standard user account rather than SYSTEM/Root further enhances security. This reduces the potential impact even if exploitation is successful.

Additional Vulnerabilities

Beyond CVE-2025-47812 and CVE-2025-5196, other vulnerabilities have been reported. CVE-2025-27889, a low-severity vulnerability, affects versions before 7.4.4 and involves improper validation of the url parameter in the downloadpass.html endpoint, potentially leading to cleartext password disclosure. CVE-2025-47811 also affects versions up to 7.4.4, where the administrative web interface, running as root/SYSTEM by default, allows execution of arbitrary system commands. While the vendor considers this acceptable, the risk remains significant.

Best Practices for Wing FTP Server Security

Beyond patching, several best practices can strengthen your Wing FTP Server's security:

  • Regular Updates: Implement a robust patch management system to ensure timely updates for all software, including Wing FTP Server.
  • Strong Passwords: Enforce strong, unique passwords for all user accounts and regularly change them.
  • Least Privilege: Run the Wing FTP Server service with the least necessary privileges. Avoid running it as SYSTEM/Root.
  • Firewall Rules: Configure firewall rules to restrict access to the Wing FTP Server to only necessary ports and IP addresses. This limits the attack surface.
  • Regular Security Audits: Conduct regular security audits to identify and address potential vulnerabilities proactively.
  • Monitoring: Implement robust security information and event management (SIEM) systems to monitor server activity and detect suspicious behavior.
  • Multi-Factor Authentication (MFA): If available, enable MFA for administrative accounts to add an extra layer of security.

The active exploitation of these vulnerabilities highlights the critical need for immediate action. Failing to update and implement these security best practices leaves your system vulnerable to significant security breaches. Prioritize patching your Wing FTP Server to the latest version and follow the recommended security measures to protect your data and systems.