CISA has added a medium-severity information disclosure vulnerability in Wing FTP Server to its Known Exploited Vulnerabilities catalog, warning that attackers are actively exploiting CVE-2025-47813 to leak server installation paths and potentially chain attacks with other critical flaws.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a medium-severity security flaw in Wing FTP Server to its Known Exploited Vulnerabilities (KEV) catalog, warning that attackers are actively exploiting the vulnerability in the wild.
Critical Path Disclosure Vulnerability
The vulnerability, tracked as CVE-2025-47813 with a CVSS score of 4.3, is an information disclosure flaw that leaks the installation path of the Wing FTP application under specific conditions. According to CISA, the issue stems from "a generation of error messages containing sensitive information vulnerability when using a long value in the UID cookie."
This shortcoming affects all versions of Wing FTP Server prior to and including version 7.4.3. The vulnerability was responsibly disclosed by RCE Security researcher Julien Ahrens and patched in version 7.4.4, released in May 2025.
Active Exploitation in the Wild
By July 2025, security researchers confirmed active exploitation of CVE-2025-47813. Huntress reported that attackers were leveraging the flaw to download and execute malicious Lua files, conduct reconnaissance, and install remote monitoring and management software on compromised systems.
In a proof-of-concept exploit shared on GitHub, Ahrens demonstrated that the endpoint at "/loginok.html" fails to properly validate the value of the "UID" session cookie. When an attacker supplies a value longer than the maximum path size of the underlying operating system, it triggers an error message that discloses the full local server path.
"Successful exploits can allow an authenticated attacker to get the local server path of the application, which can help in exploiting vulnerabilities like CVE-2025-47812," the researcher noted.
Connection to Critical RCE Vulnerability
Version 7.4.4 also patches CVE-2025-47812, a critical remote code execution vulnerability in the same product with a CVSS score of 10.0. While there's no public confirmation yet, security experts suspect attackers may be chaining these vulnerabilities together—using the path disclosure to gather information needed to exploit the RCE flaw.
Urgent Patching Required
Federal Civilian Executive Branch (FCEB) agencies have been given until March 30, 2026, to apply the necessary fixes. The vulnerability's inclusion in CISA's KEV catalog means it meets the agency's criteria for active exploitation and poses significant risk to federal systems.
Organizations using Wing FTP Server should immediately verify their version and upgrade to 7.4.4 or later if they haven't already done so. The vulnerability affects all prior versions, making this a critical security update for any organization running Wing FTP Server in their infrastructure.
For more information on the vulnerability and patching procedures, visit the official Wing FTP Server documentation or consult your system administrator.
Comments
Please log in or register to join the discussion