CVE-2025-47812 - PatchNow

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-07-10

Added to CISA KEV: 2025-07-14 4 DAYS BETWEEN CVE AND KEV

⚠️ CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity before patching
IMMEDIATE: Upgrade Wing FTP Server to version 7.4.4 or later
URGENT: If immediate patching is not possible, temporarily disable or restrict network access to Wing FTP Server instances
Monitor for unauthorized access attempts and unusual system activity on FTP servers
Implement network segmentation to limit exposure of FTP servers
Review and harden FTP server configurations, disable anonymous access if not required

CVE-2025-47812 is a critical remote code execution (RCE) vulnerability affecting Wing FTP Server. Here's what is known about its exploitation:

Internet-facing applications/services: Internet-facing Wing FTP Server instances are vulnerable to this exploit ^[1].

Active exploitation: CVE-2025-47812 is actively being exploited in the wild ^[2]^[1].

Attack vectors and exploitation methods: The vulnerability is due to a Lua injection flaw ^[2]. This allows attackers to execute arbitrary system commands with the privileges of the FTP service, potentially gaining root or SYSTEM privileges, leading to total server compromise ^[3]^[4]. The vulnerability can be exploited even via anonymous FTP accounts ^[4]. A proof-of-concept exploit has been created to demonstrate how the vulnerability can be leveraged in attacks ^[5]. The mishandling of null bytes within the user and administrator web interfaces also contributes to the vulnerability ^[6].

Targeted attacks: While not explicitly stated, vulnerabilities like CVE-2025-47812 are attractive targets for various malicious actors, including ransomware operators and advanced persistent threat (APT) groups, who routinely scan the internet for exposed instances of popular software packages ^[7].

CISA Known Exploited Vulnerabilities (KEV) status: CISA has added CVE-2025-47812 to its KEV catalog, indicating that it is a known exploited vulnerability and poses a significant risk to federal enterprises ^[7]^[8].

Technical details about internet exploitability: The attack vector is more severe the more remote the attacker can be, both logically and physically ^[9]. The vulnerability is also more severe for the least complex attacks, and if no privileges are required to exploit it ^[9].

Vulnerability Alert: CVE-2025-47812: Wing FTP Server Remote Code...
... internet-facing Wing FTP Server instances are currently vulnerable ... Critical Wing FTP Server vulnerability exploited in the wild (CVE-2025-47812).
Critical Wing FTP Server Vulnerability (CVE-2025-47812) Actively Being ...
Critical vulnerability (CVE-2025-47812) in Wing FTP Server exposed to active exploitation via Lua injection. Immediate patching needed.
Known Exploited Vulnerabilities Catalog | CISA
CVE-2025-47812.This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default).
CVE-2025-47812 - Vulnerability Details - OpenCVE
This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.
Hackers are exploiting critical RCE flaw in Wing FTP Server
Threat researchers at managed cybersecurity platform Huntress created a proof-of-concept exploit for CVE-2025-47812 and show in the video below how hackers could leverage it in attacks:…

🔴 CVE-2025-47812