Security researchers are warning that hackers are launching attacks on computers that run Wing FTP Server using a critical vulnerability that could enable attackers to take control of an entire system.

The vulnerability, tracked as CVE-2025-47812, involves a null byte and Lua injection flaw that can lead to root-level remote code execution, according to researchers at Huntress.

Huntress researchers first observed a customer being exploited on July 1, just one day after the publication of prior research on the vulnerability. 

Attackers can exploit the vulnerability by crafting a specific input in Lua, the programming language used for handling sessions in Wing FTP.

Wing FTP says roughly 10,000 customers use its service, including some large companies. The company told Cybersecurity Dive it has contacted customers by email with guidance on how to address the vulnerability through an upgrade. 

Researchers at Shadowserver Foundation said they have observed active exploitation of the vulnerability since July 1. They have said that roughly 2,000 computers are running Wing FTP, although they are currently fingerprinting those computers to determine how many could be vulnerable.

The U.S., China and Germany have the most potential exposures, according to Shadowserver.

RCE Security said it discovered the problem while performing a test for one of its customers.

The company warned that flaw can allow root-level access, which may allow an attacker to gain an extremely high level of access. 

“Ultimately, this means that an unauthenticated attacker can escalate their privileges to the highest possible ones, which usually always means a total server compromise, including all secrets such as passwords,” said Julien Ahrens, a penetration tester at RCE security. “They can read, modify and delete any file.”

This could not only enable data to be quietly exfiltrated, but systems are also potentially vulnerable to ransomware.