A critical vulnerability (CVE-2025-47812, CVSS 10.0) in Wing FTP Server is being actively exploited in the wild. The flaw, fixed in version 7.4.4, involves improper handling of null bytes in the web interface, enabling remote Lua code injection and arbitrary system command execution—potentially with root or SYSTEM privileges. Exploitable even via anonymous FTP accounts, the flaw has been used by threat actors to deploy malicious Lua files and attempt persistence through user creation and remote tool installation. Users are urged to urgently upgrade to version 7.4.4 or later to mitigate this severe risk.

‍