The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a medium-severity vulnerability in Wing FTP Server to its Known Exploited Vulnerabilities (KEV) catalog on March 16, 2026, confirming that attackers are actively exploiting the flaw in real-world attacks.
Vulnerability Details
Tracked as CVE-2025-47813 (CVSS score: 4.3), the vulnerability is an information disclosure flaw that exposes the application’s installation path when specific conditions are met. The weakness falls under CWE-209, which describes errors where software generates messages containing sensitive operational details.
According to CISA’s advisory, “Wing FTP Server contains a generation of error messages containing sensitive information vulnerability when using a long value in the UID cookie.”
Technical Exploitation Mechanism
RCE Security researcher Julien Ahrens discovered the vulnerability and demonstrated that the /loginok.html endpoint fails to properly validate the UID session cookie value. When an attacker submits a string longer than the operating system’s maximum path size, the server generates a verbose error message that inadvertently discloses the full local server path.
“Successful exploits can allow an authenticated attacker to get the local server path of the application, which can help in exploiting vulnerabilities like CVE-2025-47812,” Ahrens noted in his proof-of-concept disclosure.
Why This Matters: Attack Chain Implications
While CVE-2025-47813 carries only a medium CVSS score, its significance lies in how it can enable more severe attacks. The vulnerability is directly linked to CVE-2025-47812 (CVSS score: 10.0), a critical remote code execution vulnerability in the same product that has been under active exploitation since July 2025.
According to Huntress, attackers have leveraged the RCE vulnerability to:
- Download and execute malicious Lua files
- Conduct reconnaissance on target networks
- Install remote monitoring and management (RMM) software for persistent access
By chaining the information disclosure bug with the RCE vulnerability, threat actors can more effectively map target environments and craft precise exploitation payloads.
Affected Versions and Remediation
The vulnerability affects all Wing FTP Server versions up to and including 7.4.3. Version 7.4.4, released in May 2025 following responsible disclosure, addresses both CVE-2025-47813 and the critical CVE-2025-47812 vulnerability.
Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must apply necessary fixes by March 30, 2026. While this directive formally applies to federal networks, CISA strongly urges all organizations to prioritize this update.
Security Recommendations
- Immediate patching: Update Wing FTP Server to version 7.4.4 or later
- Temporary mitigation: If immediate patching is not feasible, consider temporarily discontinuing use of the affected product
- Network monitoring: Monitor for unusual file transfer activity and unexpected error responses
- Access controls: Restrict access to file transfer servers from the public internet where possible
File transfer servers remain attractive targets for threat actors due to their internet-facing nature and the sensitive data they often handle. Organizations should treat this KEV addition as a critical warning, regardless of the vulnerability’s medium severity score.
Source: The Hacker News
