{ "type": "Domain", "indicator": "cloudyforky.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/cloudyforky.com", "alexa": "http://www.alexa.com/siteinfo/cloudyforky.com", "indicator": "cloudyforky.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4089624800, "indicator": "cloudyforky.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "68720cfb1b4cf43a6804f055", "name": "Wing FTP Server Remote Code Execution (CVE-2025-47812) Exploited in the Wild.", "description": "CVE-2025-47812 is a critical vulnerability identified in the Wing FTP Server prior to version 7.4.4, affecting multiple platforms, including Windows, Linux, and macOS. The vulnerability arises from improper handling of null bytes in the username input during the authentication process, specifically through the loginok.html endpoint. By exploiting this flaw, attackers can perform Lua code injection, which may lead to remote code execution with root or SYSTEM-level privileges. The attack vector begins when an adversary crafts a username input that includes a null byte (%00), allowing them to disrupt the expected string processing of the username. Following the null byte, they append characters that are interpreted as Lua code, which manipulates the session object files that typically store user information like the current directory and IP address. This payload ends with a comment to preserve the syntax, effectively enabling the injection of malicious Lua commands.", "modified": "2025-08-11T07:03:36.795000", "created": "2025-07-12T07:21:31.172000", "tags": [ "wing ftp", "currentpath", "powershell", "june", "python", "password", "sha256", "bumbling", "webhook site", "beacon trojan" ], "references": [ "https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-SHA256": 26, "URL": 103, "hostname": 33, "domain": 40 }, "indicator_count": 204, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "294 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "68720cfb1b4cf43a6804f055", "name": "Wing FTP Server Remote Code Execution (CVE-2025-47812) Exploited in the Wild.", "description": "CVE-2025-47812 is a critical vulnerability identified in the Wing FTP Server prior to version 7.4.4, affecting multiple platforms, including Windows, Linux, and macOS. The vulnerability arises from improper handling of null bytes in the username input during the authentication process, specifically through the loginok.html endpoint. By exploiting this flaw, attackers can perform Lua code injection, which may lead to remote code execution with root or SYSTEM-level privileges. The attack vector begins when an adversary crafts a username input that includes a null byte (%00), allowing them to disrupt the expected string processing of the username. Following the null byte, they append characters that are interpreted as Lua code, which manipulates the session object files that typically store user information like the current directory and IP address. This payload ends with a comment to preserve the syntax, effectively enabling the injection of malicious Lua commands.", "modified": "2025-08-11T07:03:36.795000", "created": "2025-07-12T07:21:31.172000", "tags": [ "wing ftp", "currentpath", "powershell", "june", "python", "password", "sha256", "bumbling", "webhook site", "beacon trojan" ], "references": [ "https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-SHA256": 26, "URL": 103, "hostname": 33, "domain": 40 }, "indicator_count": 204, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "294 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "cloudyforky.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "cloudyforky.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780347294.3376844 }