A critical pre-auth remote code execution (RCE) vulnerability in Wing FTP Server, tracked as CVE-2025-47812, is now being exploited in the wild, with attackers targeting publicly exposed systems.
The vulnerability affects Windows, Linux, and macOS versions of Wing FTP Server prior to v7.3.1, and allows unauthenticated attackers to run arbitrary system commands via crafted HTTP requests.
About CVE-2025-47812
- Severity: Critical (CVSS v3: 9.8)
- Type: Pre-authentication Remote Code Execution
- Affected software: Wing FTP Server < v7.3.1
- Exploit vector: Malicious HTTP request to the web-based admin interface (port 5466)
Security firm Rapid7 discovered the flaw and reports active exploitation in the wild. outlining the vulnerability and its impact.
Real-World Exploits Confirmed
Researchers observed attackers leveraging this vulnerability in real-world intrusions. Public proof-of-concept exploits are also available, increasing the risk of widespread abuse.
“It’s being exploited right now — if you run Wing FTP and haven’t patched, you are at serious risk,” warns Rapid7.
🛠️ Immediate Action Required
Update to v7.3.1 or later from the official Wing FTP site:
Temporary Mitigation (if patching isn’t possible yet)
- Restrict external access to the admin interface (default: TCP 5466)
- Apply strict IP filtering or tunnel access through VPN
- Monitor for unauthorized access or new user creation
- Enable and review detailed server logs
Final Recommendations
- Patch immediately to Wing FTP Server v7.3.1
- Never expose admin interfaces directly to the internet
- Stay updated with CVE feeds and vendor advisories
- Treat this as an active threat, not just a theoretical risk
🔐 Don’t wait until it’s too late. Patch CVE-2025-47812 now.