CISA Alerts on Actively Exploited Wing FTP Vulnerability Exposing Server Paths
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a medium-severity vulnerability affecting Wing FTP Server to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. This vulnerability, identified as CVE-2025-47813 with a CVSS score of 4.3, pertains to an information disclosure issue that can reveal the application’s installation path under specific conditions.
CISA’s advisory highlights that Wing FTP Server is susceptible to generating error messages containing sensitive information when a long value is used in the UID cookie. This flaw impacts all versions up to and including 7.4.3. The issue was addressed in version 7.4.4, released in May 2025, following responsible disclosure by security researcher Julien Ahrens.
Notably, version 7.4.4 also rectifies another critical vulnerability, CVE-2025-47812, which carries a CVSS score of 10.0 and allows for remote code execution. As of July 2025, this critical flaw has been actively exploited in the wild.
In a proof-of-concept exploit shared on GitHub, Ahrens demonstrated that the /loginok.html endpoint fails to properly validate the UID session cookie’s value. If the provided value exceeds the operating system’s maximum path size, it triggers an error message disclosing the full local server path. This information can be leveraged by authenticated attackers to facilitate further exploitation, such as exploiting CVE-2025-47812.
While specific details on the exploitation of CVE-2025-47813 remain scarce, the potential for it to be used in conjunction with other vulnerabilities underscores the importance of prompt remediation. CISA recommends that Federal Civilian Executive Branch (FCEB) agencies apply the necessary fixes by March 30, 2026, to mitigate potential threats.
