Exploited Wing file transfer bug risks ‘total server compromise,’ CISA warns

A vulnerability in products from the file transfer company Wing FTP Server is being actively exploited, the Cybersecurity and Infrastructure Security Agency (CISA) warned Monday.

The agency confirmed industry reports of exploitation, adding it to the Known Exploited Vulnerabilities (CVE) catalog and ordering all federal civilian agencies to patch the bug by August 4.

In the CVE entry, CISA said the bug carries a 10 out of 10 severity score and “guarantees a total server compromise.”

Wing FTP Server is a file transfer protocol software for Windows, Linux, and macOS that is used by thousands of organizations to transfer files, including the U.S. Air Force, Airbus, Sephora, Reuters, Sony and others.

Last month, cybersecurity researcher Julien Ahrens published a lengthy examination of the vulnerability, now listed as CVE-2025-47812. Two weeks later, incident responders at cybersecurity firm Huntress said they saw active exploitation on a customer on July 1 and urged organizations to update their Wing FTP Server to version 7.4.4 as soon as possible. 

Jamie Levy, director of adversary tactics at Huntress, told Recorded Future News that the attack they observed appeared to be a one-off. 

“They seemed to be feeling out what they could actually do with this vulnerability, but it didn’t appear to be organized in any way,” Levy said.  “It was more like they were working in ‘research mode.”

Huntress security researchers recreated a proof-of-concept exploit for the vulnerability and released a video demonstration of it. They also provided information on how defenders can see if they have been targeted through the bug and said they saw several different attackers go after the victim’s machine during the incident on July 1. 

“It seems like the attacker (the fourth one we had seen this day) had a difficult time running some commands, maybe due to their unfamiliarity with them, or because Microsoft Defender stopped part of their attack,” the researchers said. “Despite the threat actors’ unavailing activity, this incident shows that CVE-2025-47812 is being actively targeted at this point.”

Other incident responders at Arctic Wolf added that during observed cases of exploitation, hackers “attempted to download and execute malicious files, perform reconnaissance, and install remote monitoring and management software.” 

Wing FTP Server did not respond to requests for comment. 

On Monday, the Shadowserver Foundation said it saw about 2,000 Wing FTP Server instances exposed to the internet, including hundreds in the U.S. and Europe. Shadowserver said it has seen exploitation attempts since the start of July. 

Research company Censys said it observed 8,103 exposed devices running Wing FTP Server — 5,004 of which had exposed web interfaces that are potentially vulnerable.

File transfer tools are a popular target for cybercriminals because of the large companies that use them to send, and sometimes hold, large tranches of data. Widely-used tools from companies like CrushFTP, Cleo, MOVEit, GoAnywhere and Accellion have all faced campaigns of attacks by cybercriminal organizations over the last five years.