Critical Wing FTP Server Vulnerability Exploited

Hackers have been exploiting a critical-severity vulnerability in the Wing FTP Server file transfer solution to execute arbitrary code remotely, after technical information on the flaw was published on June 30, security researchers warn.

Tracked as CVE-2025-47812, the critical issue is described as the mishandling of null bytes, which allows attackers to inject arbitrary Lua code in user session files, leading to the execution of arbitrary commands with root or system privileges.

Successful exploitation of the bug could potentially lead to full server compromise through the remote execution of arbitrary code. While authentication is required, threat actors can also exploit the defect using an anonymous FTP account, which does not require a password but is disabled by default.

“When exploiting the vulnerability, a special set of characters is inserted into the username, bypassing string processing during login. This flaw allows threat actors to inject arbitrary Lua code into the application ...