Code smuggling loophole in Wing FTP is attacked

There is a gaping security hole in the Wing FTP data transfer software that allows attackers to infiltrate and execute malicious code from the network. It has been given the highest possible risk rating of "critical". IT forensics experts observed the vulnerability being abused as early as July 1.

According to the vulnerability description, the user and admin web interface incorrectly handles "\0" bytes, which indicate the end of character strings. Without going into details, this should allow attackers to inject arbitrary LUA code into user session files. This in turn allows arbitrary system commands to be executed with the rights of the FTP server – "root" or "SYSTEM" – by default. "This is therefore a remote code execution vulnerability that guarantees complete server compromise," write those reporting the vulnerability. It can also be exploited with anonymous FTP accounts (CVE-2025-47812 / EUVD-2025-21009, CVSS 10.0, risk "critical").

Gap already attacked

IT security researchers from Huntress report on the observed attacks on the vulnerability in their blog. They describe details of the observed attacks and provide a list of Indicators of Compromise (IOCs) at the end.

The vulnerability affects Wing FTP before the current version 7.4.4, which has been available for download since May 14, 2025. The changelog explicitly mentions the vulnerability that is being closed. Wing FTP is available on the download page for Linux, macOS and Windows. IT managers should apply the updates quickly.

Data transfer software is of interest to cyber criminals, as vulnerabilities in it often allow them to access sensitive data, which they can then use to blackmail companies for ransom. This is also how the Cl0p cyber gang used vulnerabilities in the Progress MOVEit data transfer software to access data from many well-known companies and even US authorities.

(dmk)