On 10 July 2025, a technical article was published by Huntress revealing that a maximum severity remote code execution vulnerability in Wing FTP Server, CVE-2025-47812, had been actively exploited by threat actors as early as 1 July 2025. Details of the vulnerability had originally been published on 30 June 2025, providing a comprehensive breakdown of the flaw and how to exploit it. Since proof-of-concept exploit code along with technical details are publicly available, exploitation will likely continue in the near future.
Threat actors exploiting this vulnerability must authenticate using either known credentials or the anonymous account, which requires no password but is disabled by default. When exploiting the vulnerability, a special set of characters is inserted into the username, bypassing string processing during login. This flaw allows threat actors to inject arbitrary Lua code into the application, which is executed upon visiting specific pages.
In observed cases of exploitation, threat actors attempted to download and execute malicious files, perform reconnaissance, and install remote monitoring and management software. Arctic Wolf has observed similar activity previously where newly disclosed vulnerabilities were exploited on edge devices to steal sensitive data and potentially deploy ransomware in the aftermath.
Recommendation
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| Wing FTP Server | Versions before 7.4.4 | 7.4.4 and later |
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
References
Resources
