CVSS 10 RCE in Wing FTP exploited within 24 hours, security researchers warn

Huntress security researchers observed exploitation of the CVSS 10.0 remote code execution (RCE) flaw in Wing FTP Server on July 1, just one day after its public disclosure.

Wing FTP Server is a cross-platform file-transfer solution, supporting FTP, FTPS, SFTP, and HTTP/S. It is used by over 10,000 customers worldwide for secure data exchange, including Airbus, Reuters, and the US Air Force, according to its website.

Patched on May 14, the researchers behind the discovery of CVE-2025-47812 did not publish their findings until over a month after fixes came in version 7.4.4.

RCE Security, which found and reported the issue, said in its report on June 30 that once Lua code is injected into a session file, execution as root on affected Wing FTP instances is trivial, hence the maximum possible severity score.

The main issue at play was the way in which the Wing ...