"The main issue was the way in which the Wing FTP web interface handled null bytes in the username field, allowing attackers to execute a Lua injection attack."
"Attackers typically use these writeups to craft their own exploit code. Within 24 hours of the vulnerability's public disclosure, attacks began."
On July 1, Huntress observed exploitation of a CVSS 10.0 RCE flaw in Wing FTP Server, one day after public disclosure. This software, used by over 10,000 global clients, faced attacks exploiting a vulnerability in handling null bytes in usernames, allowing Lua code execution. The flaw, disclosed after a patch on May 14, had one recorded exploit attempt in the wild. Attackers acted quickly, with several attempts reported within 24 hours, illustrating the importance of swift patching and awareness for users.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]