Full Report
Hackers have started to exploit a critical remote code execution vulnerability in Wing FTP Server just one day after technical details on the flaw became public. [...]
Analysis Summary
# Vulnerability: Critical RCE in Wing FTP Server
## CVE Details
- CVE ID: CVE-2025-47812 (Inferred/Deduced from context mentioning the vulnerability being exploited)
- CVSS Score: Critical (Severity inferred from "critical RCE flaw" description)
- CWE: [Not specified in the provided text]
## Affected Systems
- Products: Wing FTP Server
- Versions: Versions prior to **7.4.4** are vulnerable (as 7.4.4 is the patched version).
- Configurations: Open HTTP/HTTPS web portal is likely required for exploitation.
## Vulnerability Description
The vulnerability is a critical Remote Code Execution (RCE) flaw in Wing FTP Server. This flaw allows unauthenticated remote attackers to upload and execute arbitrary code on the affected server. The observed exploitation attempts involved downloading and executing malware, reconnaissance, persistence setting, and data exfiltration using tools like `cURL` and webhooks.
## Exploitation
- Status: **Exploited in the wild** (Reported by Huntress with active exploitation attempts observed).
- Complexity: Low to Medium (Implied by widespread scanning and relative ease of use reported by researchers).
- Attack Vector: Network (Remote exploitation via the web portal).
## Impact
- Confidentiality: High (Ability to exfiltrate data).
- Integrity: High (Ability to execute arbitrary code and establish persistence).
- Availability: High (Potential for complete system compromise or denial of service).
## Remediation
### Patches
- Upgrade to **Wing FTP Server version 7.4.4** or later.
### Workarounds
If immediate upgrading is not possible:
1. Disable or restrict HTTP/HTTPS access to the Wing FTP web portal.
2. Disable anonymous logins.
3. Monitor the session directory for suspicious additions.
## Detection
- **Indicators of Compromise (IOCs):** Unusual network activity involving outbound HTTPS requests from Wing FTP server processes, attempts to use `cURL` or execute shell commands originating from unexpected processes, and suspicious file creation in the session directory.
- **Detection methods and tools:** Monitor web server logs for suspicious POST requests targeting the FTP server web interface. Use endpoint detection and response (EDR) tools to look for command-line activity (like `cURL`) spawned by the Wing FTP service process.
## References
- Vendor Advisory: [Implied vendor advisory likely accompanies the patch release]
- Relevant links:
- Huntress analysis: hXXps://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild (Defanged)
- BleepingComputer Article: hXXps://www.bleepingcomputer.com/news/security/hackers-are-exploiting-critical-rce-flaw-in-wing-ftp-server/ (Defanged)