← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Wing FTP Server Remote Code Execution (CVE-2025-47812) Exploited in the Wild.
WHITE PetrP.73 2025-07-12 Modified: 2025-08-11
204
IOCs
HIGH VOLUME
CVE-2025-47812 is a critical vulnerability identified in the Wing FTP Server prior to version 7.4.4, affecting multiple platforms, including Windows, Linux, and macOS. The vulnerability arises from improper handling of null bytes in the username input during the authentication process, specifically through the loginok.html endpoint. By exploiting this flaw, attackers can perform Lua code injection, which may lead to remote code execution with root or SYSTEM-level privileges. The attack vector begins when an adversary crafts a username input that includes a null byte (%00), allowing them to disrupt the expected string processing of the username. Following the null byte, they append characters that are interpreted as Lua code, which manipulates the session object files that typically store user information like the current directory and IP address. This payload ends with a comment to preserve the syntax, effectively enabling the injection of malicious Lua commands.
wing ftpcurrentpathpowershelljunepythonpasswordsha256bumblingwebhook sitebeacon trojan
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (204)
All CVE FileHash-SHA256 URL hostname domain
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2025-47812 2025-07-12
FileHash-SHA256 c637ec00bd22da4539ec6def89cd9f7196a303d17632b1131a89d65e4f5698f4 2025-07-12
FileHash-SHA256 f0fcc638cd93bdd6fb4745d75b491395a7a1b2cb08e0153a2eb417cb2f58d8ac 2025-07-12
URL http://185.196.9.225:8080/EOp45eWLSp5G5Uwp_yOCiQ 2025-07-12
FileHash-SHA256 49e7b71fcd7485085c6d6ee2b340d279b6172f9e36f7f8e2307dfa0547a603e3 2025-07-12
FileHash-SHA256 d4d714fcb70bbc70aa87cce939ec114d5c0fe00254dc310aee169ea99e6ccbec 2025-07-12
hostname santiago.privacy.network 2025-07-12
FileHash-SHA256 c1475d9880e1dd5b387bd3d342768c679129d0e89832202e63667a4f092ec313 2025-07-12
domain 246377-coinbase.com 2025-07-12
domain 278491-coinbase.com 2025-07-12
domain 328974-coinbase.com 2025-07-12
hostname calendly.appointments-salesforcecareers.com 2025-07-12
hostname calendly.hiring-unified.com 2025-07-12
hostname calendly.jobs-omnicomgroup.com 2025-07-12
domain depot-remise.com 2025-07-12
domain govcanada-alberta.com 2025-07-12
domain prvfwpoyj.online 2025-07-12
domain adnansa.ru 2025-07-12
domain agshinsa.ru 2025-07-12
domain alpansa.ru 2025-07-12
hostname alter22.quyenzo.ru 2025-07-12
hostname alter45.quyenzo.ru 2025-07-12
domain bahirdo.ru 2025-07-12
domain bashaardo.ru 2025-07-12
hostname bike.intercourse20.cavalierso.ru 2025-07-12
domain cell-man.net 2025-07-12
domain chataiassistant.pro 2025-07-12
domain dzhiao.ru 2025-07-12
hostname intercourse20.cavalierso.ru 2025-07-12
domain minhizo.ru 2025-07-12
hostname penknife90.quyenzo.ru 2025-07-12
hostname penknife92.quyenzo.ru 2025-07-12
hostname relax.salary48.minhizo.ru 2025-07-12
hostname salary48.minhizo.ru 2025-07-12
hostname sample.penknife59.quyenzo.ru 2025-07-12
domain searchcopilot.co 2025-07-12
domain youtubeadsblocker.live 2025-07-12
domain zhgift.com 2025-07-12
URL http://149.248.44.88/cgi-sys/defaultwebpage.cgi 2025-07-12
URL http://cell-man.net 2025-07-12
URL http://youtubeadsblocker.live/cgi-sys/defaultwebpage.cgi 2025-07-12
URL https://cell-man.net 2025-07-12
URL https://searchcopilot.co/sidebar-settings 2025-07-12
URL https://youtubeadsblocker.live/ 2025-07-12
FileHash-SHA256 061701c4921663ae97aed15b5436a7c888d6d9f2e1bd6715c5d03bf63ebb21e5 2025-07-12
FileHash-SHA256 0910691f28dd1ac292bc1620121c6ff70e24a3b38de631cba6a338bf2f43fb08 2025-07-12
FileHash-SHA256 151c0d6cb24fc40f950554131e2c083b0e5eadee2a5e8864f2072637263858f9 2025-07-12
FileHash-SHA256 17dfb2f68981c5595a69489926eabdc1005b1b5fd4fff4b9e6bb813d095c5072 2025-07-12
FileHash-SHA256 188da91f79625e23989c9a51f598decfef43a3ba7d8aafe0234835498a04601a 2025-07-12
FileHash-SHA256 1f74f5d17a163a344f8db754b4c63bc48a5276b34246e5ba204d3e178bbbf40a 2025-07-12
FileHash-SHA256 52a0c3eee0a1adcdcb50d7c5a2e54708f4dd1ef429ff1a78085f723884c57448 2025-07-12
FileHash-SHA256 538908f1876ad2609de42672ffea2d3479eb0e64291e74bbb863cf567328595f 2025-07-12
FileHash-SHA256 574ca76268cef8f5631fa2b67909958072fbfe610f59d20c0456179ba33ae351 2025-07-12
FileHash-SHA256 6ad0d8270342b5f31f4a0b1ebd8fb997627de60f924b2fbd1989bc7754014317 2025-07-12
FileHash-SHA256 6cf32da554c082f48a2ab148ee4cc9cf1f5c5c28edaadf56bfa4e3862ff55e1b 2025-07-12
FileHash-SHA256 6ffbf231345071d183c3ea4b786d0f66e1ab7b725724a62587a25a98b96e702f 2025-07-12
FileHash-SHA256 7596eefca427ab34526a1de56f985a21b5b279e655baaffde058dd2054f63a30 2025-07-12
FileHash-SHA256 808c59b69a736c2c766b7d4f2b81023228c16ac96dca4cd236de0570f107472b 2025-07-12
FileHash-SHA256 88fd27c73e04b1aa479b2d46f2be3a618caec4a23702b46818697aa207901473 2025-07-12
FileHash-SHA256 a4850d2639c53f42081617542401a5dba968499141d228505a9315fa0064e5be 2025-07-12
FileHash-SHA256 a6c5cfe008f99e4d9bf3386d2fe6ddbe8278e62ae4253516b9740a5571559c80 2025-07-12
FileHash-SHA256 a8cc06f9d5f14233d64a8f374227cb83438821c0d2a0b6a74da8227120a3295b 2025-07-12
FileHash-SHA256 ad7f7509ecf180f0aff0806119d50e65cba8dfe21f532933d31fc979a42cf0bd 2025-07-12
FileHash-SHA256 db9b625f3f8e1c061644761080ec5b6edcd223bdf4dd35bac5ae73cd52d1673d 2025-07-12
hostname aaa.xxxip.cc 2025-07-12
domain benitatrade.com 2025-07-12
hostname bg61zdal7228002k.g94dfd5hwe.cloudyforky.com 2025-07-12
domain costcofallsale.com 2025-07-12
domain fuckycto.xyz 2025-07-12
domain gnvip.vip 2025-07-12
domain gobble.pro 2025-07-12
domain gothailand.xyz 2025-07-12
domain grube-online.com 2025-07-12
domain invetrust.info 2025-07-12
domain junhuiwang.online 2025-07-12
domain justdrivewithus.com 2025-07-12
domain klinikhijraachendering.com 2025-07-12
domain lcd520ttt.top 2025-07-12
domain miningproxy.top 2025-07-12
domain nepwe.com 2025-07-12
domain piverse.games 2025-07-12
hostname sweetbean87710559.fitsoftapp.me 2025-07-12
domain wt150.com 2025-07-12
hostname www.nagoya-harley.com 2025-07-12
URL http://123.123.123.123/16 2025-07-12
URL http://123.123.123.123/a 2025-07-12
URL http://123.123.123.123/a/100 2025-07-12
URL http://123.123.123.123/base/api/firegate.php 2025-07-12
URL http://123.123.123.123/base/api/getData.php 2025-07-12
URL http://123.123.123.123/dlink%20 2025-07-12
URL http://123.123.123.123/img.php 2025-07-12
URL http://123.123.123.123/jaws 2025-07-12
URL http://123.123.123.123/pdf.ico 2025-07-12
URL http://123.123.123.123/pre/config.php 2025-07-12
URL http://123.123.123.123/qpa/rest/V99 2025-07-12
URL http://123.123.123.123/vIMQ 2025-07-12
URL http://123.123.123.123:4567/tf/replay 2025-07-12
URL https://123.123.123.123/ezsdd/complete 2025-07-12
URL https://123.123.123.123/livez 2025-07-12
URL https://123.123.123.123/owa/oHW2lMVbnX6bEcmACYxN5i1wOc 2025-07-12
URL https://123.123.123.123/readyz 2025-07-12
URL https://123.123.123.123/v1/api 2025-07-12
URL https://123.123.123.123:123 2025-07-12
URL https://123.123.123.123:4567/tf/replay 2025-07-12
CVE CVE-2017-0147 2025-07-12
domain appointments-salesforcecareers.com 2025-07-12
URL https://calendly.appointments-salesforcecareers.com/calendar/ 2025-07-12
URL https://depot-remise.com/suivi/1C4782 2025-07-12
URL https://govcanada-alberta.com/deposit/Fr/ 2025-07-12
URL https://govcanada-alberta.com/deposit/bmo/ah84d03kds3d0z83zml/ 2025-07-12
hostname ambitious.counteract37.agshinsa.ru 2025-07-12
hostname ambitious.counteract72.agshinsa.ru 2025-07-12
hostname counteract37.agshinsa.ru 2025-07-12
hostname counteract72.agshinsa.ru 2025-07-12
hostname naturally1.agshinsa.ru 2025-07-12
hostname perform.naturally1.agshinsa.ru 2025-07-12
hostname perform.naturally5.agshinsa.ru 2025-07-12
URL http://ambitious.counteract37.agshinsa.ru 2025-07-12
URL http://ambitious.counteract37.agshinsa.ru/ 2025-07-12
URL http://ambitious.counteract72.agshinsa.ru/ 2025-07-12
URL http://counteract37.agshinsa.ru 2025-07-12
URL http://counteract37.agshinsa.ru/ 2025-07-12
URL http://counteract72.agshinsa.ru/ 2025-07-12
URL http://naturally1.agshinsa.ru/ 2025-07-12
URL http://naturally5.agshinsa.ru/ 2025-07-12
URL http://perform.naturally1.agshinsa.ru/ 2025-07-12
URL http://perform.naturally5.agshinsa.ru 2025-07-12
URL http://perform.naturally5.agshinsa.ru/ 2025-07-12
URL https://ambitious.counteract37.agshinsa.ru 2025-07-12
URL https://ambitious.counteract37.agshinsa.ru/ 2025-07-12
URL https://ambitious.counteract72.agshinsa.ru/ 2025-07-12
URL https://counteract37.agshinsa.ru 2025-07-12
URL https://counteract37.agshinsa.ru/ 2025-07-12
URL https://counteract72.agshinsa.ru/ 2025-07-12
URL https://naturally5.agshinsa.ru/ 2025-07-12
URL https://perform.naturally1.agshinsa.ru/ 2025-07-12
URL https://perform.naturally5.agshinsa.ru 2025-07-12
hostname endeavour31.alpansa.ru 2025-07-12
hostname shone.endeavour31.alpansa.ru 2025-07-12
URL http://endeavour31.alpansa.ru 2025-07-12
URL http://shone.endeavour31.alpansa.ru 2025-07-12
URL http://shone.endeavour31.alpansa.ru/DESKTOP-3VASB0N/falcon/family.n64 2025-07-12
URL https://endeavour31.alpansa.ru 2025-07-12
URL https://endeavour31.alpansa.ru/ 2025-07-12
URL https://shone.endeavour31.alpansa.ru 2025-07-12
URL https://shone.endeavour31.alpansa.ru/ 2025-07-12
hostname interface.alter45.quyenzo.ru 2025-07-12
domain quyenzo.ru 2025-07-12
hostname interface.alter22.quyenzo.ru 2025-07-12
domain cavalierso.ru 2025-07-12
hostname countryside.amongst6.bahirdo.ru 2025-07-12
URL http://amongst6.bahirdo.ru 2025-07-12
URL http://amongst6.bahirdo.ru/ 2025-07-12
URL http://countryside.amongst6.bahirdo.ru 2025-07-12
URL http://countryside.amongst6.bahirdo.ru/ 2025-07-12
URL https://amongst6.bahirdo.ru 2025-07-12
URL https://countryside.amongst6.bahirdo.ru 2025-07-12
URL https://countryside.amongst6.bahirdo.ru/ 2025-07-12
hostname api.chataiassistant.pro 2025-07-12
URL http://api.chataiassistant.pro 2025-07-12
URL https://api.chataiassistant.pro 2025-07-12
hostname councilman.interference48.minhizo.ru 2025-07-12
hostname god.sanction90.minhizo.ru 2025-07-12
URL http://councilman.interference48.minhizo.ru 2025-07-12
URL http://councilman.interference48.minhizo.ru/ 2025-07-12
URL http://god.sanction90.minhizo.ru 2025-07-12
URL http://god.sanction90.minhizo.ru/ 2025-07-12
URL http://interference48.minhizo.ru 2025-07-12
URL http://relax.salary48.minhizo.ru/MAIL/gloomily/along.rcs 2025-07-12
URL http://relax.salary48.minhizo.ru/mail/gloomily/along.rcs. 2025-07-12
URL http://salary.minhizo.ru 2025-07-12
URL http://salary48.minhizo.ru 2025-07-12
URL https://councilman.interference48.minhizo.ru 2025-07-12
URL https://councilman.interference48.minhizo.ru/ 2025-07-12
URL https://god.sanction90.minhizo.ru 2025-07-12
URL https://god.sanction90.minhizo.ru/ 2025-07-12
URL https://interference48.minhizo.ru 2025-07-12
URL https://relax.salary48.minhizo.ru 2025-07-12
URL https://relax.salary48.minhizo.ru/ 2025-07-12
URL https://salary.minhizo.ru 2025-07-12
URL https://salary48.minhizo.ru 2025-07-12
URL https://salary48.minhizo.ru/ 2025-07-12
hostname sample.penknife92.quyenzo.ru 2025-07-12
FileHash-SHA256 c22b20cee83b0802792a683ea7af86230288837bb3857c02e242fb6769fa8b0c 2025-07-12
URL http://api.searchcopilot.co 2025-07-12
URL http://api.searchcopilot.co/ 2025-07-12
URL http://searchcopilot.co/cgi-sys/defaultwebpage.cgi 2025-07-12
URL http://searchcopilot.co/internalheadreq 2025-07-12
URL http://searchcopilot.co/sidebar-settings 2025-07-12
URL http://www.searchcopilot.co/ 2025-07-12
URL https://api.searchcopilot.co 2025-07-12
URL https://www.searchcopilot.co/ 2025-07-12
URL http://api.youtubeadsblocker.live 2025-07-12
URL https://api.youtubeadsblocker.live 2025-07-12
URL http://www.zhgift.com/ 2025-07-12
URL https://webdisk.zhgift.com/ 2025-07-12
domain xxxip.cc 2025-07-12
domain cloudyforky.com 2025-07-12
URL https://gothailand.xyz/eva/ 2025-07-12
URL https://gothailand.xyz/pop/ 2025-07-12
domain fitsoftapp.me 2025-07-12
URL http://www.nagoya-harley.com/menu3-1.html 2025-07-12
URL http://www.nagoya-harley.com/menu3-6.htm 2025-07-12
URL http://www.nagoya-harley.com/menu3-6.html 2025-07-12
References (1)
↗ https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild