Wing FTP Server

Hackers exploited a critical vulnerability in Wing FTP Server, a widely used file transfer solution, just one day after the flaw’s disclosure. The vulnerability allows unauthenticated remote code execution, enabling attackers to run code as root or SYSTEM on vulnerable servers. Despite a fix being available for over a month, many users remained unpatched. The attack was unsuccessful due to Microsoft Defender, but attackers attempted to escalate privileges, perform reconnaissance, and create new users to maintain persistence. Researchers recommend immediate upgrading to version 7.4.4.

Source: https://www.techradar.com/pro/security/hackers-are-exploiting-a-critical-rce-flaw-in-a-popular-ftp-server-heres-what-you-need-to-know

TPRM report: https://scoringcyber.rankiteo.com/company/connect-secure-vulnerability-management

"id": "con704072025",
"linkid": "connect-secure-vulnerability-management",
"type": "Vulnerability",
"date": "7/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"

{'affected_entities': [{'customers_affected': 'More than 10,000 organizations '
                                              'globally, including Airbus, '
                                              'Reuters, and the US Air Force',
                        'industry': 'File Transfer Management',
                        'location': 'Global',
                        'name': 'Wing FTP Server',
                        'type': 'Software'}],
 'attack_vector': 'Null byte injection in the username field',
 'date_detected': '2025-06-30',
 'date_publicly_disclosed': '2025-06-30',
 'description': 'Hackers launched attacks just one day after the flaw’s full '
                'technical write-up was made public. Many servers stayed '
                'vulnerable for weeks despite a fix being released long before '
                'the disclosure. Null byte injection in the username field '
                'lets attackers bypass login and run Lua code.',
 'initial_access_broker': {'entry_point': 'Null byte injection in the username '
                                          'field'},
 'motivation': ['Privilege escalation', 'Reconnaissance', 'Persistence'],
 'post_incident_analysis': {'corrective_actions': ['Upgrade to version 7.4.4',
                                                   'Disable HTTP/S access',
                                                   'Remove anonymous login '
                                                   'options',
                                                   'Monitor session file '
                                                   'directories'],
                            'root_causes': 'Improper input sanitization and '
                                           'unsafe handling of null-terminated '
                                           'strings'},
 'recommendations': ['Upgrade to version 7.4.4',
                     'Disable HTTP/S access',
                     'Remove anonymous login options',
                     'Monitor session file directories'],
 'references': [{'source': 'The Register'}, {'source': 'BleepingComputer'}],
 'response': {'containment_measures': ['Upgrade to version 7.4.4',
                                       'Disable HTTP/S access',
                                       'Remove anonymous login options',
                                       'Monitor session file directories']},
 'title': 'Critical Vulnerability in Wing FTP Server Exploited',
 'type': 'Remote Code Execution (RCE)',
 'vulnerability_exploited': 'CVE-2025-47812'}