The CISA has issued a new warning about a vulnerability in the widely used Wing FTP Server, adding it to its Known Exploited Vulnerabilities Catalog after confirming that attackers are actively exploiting the flaw. Even though the vulnerability is rated as medium severity, security experts warn that it could help attackers gather sensitive information and assist in launching more serious attacks.
The flaw, tracked as CVE-2025-47813, has a CVSS score of 4.3, indicating moderate risk. However, its presence in the KEV catalog means that attackers are already using it in real-world attacks, making it an urgent concern for organizations that rely on Wing FTP Server.
According to CISA, the vulnerability is an information disclosure issue that can reveal the internal installation path of the Wing FTP Server application. This information may seem minor at first, but it can provide attackers with valuable details about the system’s structure.
The issue occurs when the server processes an unusually long value inside the UID session cookie. If the value exceeds the maximum path length supported by the underlying operating system, the server generates an error message. This error message unintentionally exposes sensitive information, including the full local path of the application on the server.
Such information can help attackers better understand the server environment and identify other weaknesses that can be exploited.
The vulnerability impacts all versions of Wing FTP Server up to and including version 7.4.3. The issue has already been fixed in version 7.4.4, which was released in May 2025.
The vulnerability was responsibly disclosed by cybersecurity researcher Julien Ahrens from RCE Security. After discovering the flaw, the researcher worked with the vendor to ensure that the issue was patched before detailed technical information became widely available.
Organizations running older versions of the software are strongly encouraged to upgrade immediately to prevent potential exploitation.
Interestingly, the same update that fixed CVE-2025-47813 also patched a far more dangerous vulnerability known as CVE-2025-47812. This vulnerability carries a CVSS score of 10.0, which is the highest possible severity rating.
The critical flaw allows attackers to perform remote code execution (RCE) on vulnerable Wing FTP servers. With RCE access, attackers can run malicious commands, install malware, and gain full control over the affected system.
Security researchers have already observed attackers exploiting this critical bug in the wild. Threat actors have used it to download malicious scripts, gather system information, and install remote access tools.
Cybersecurity company Huntress reported that attackers have already started abusing the RCE vulnerability to deploy malicious Lua scripts on compromised systems.
These attacks typically follow a structured pattern:
-
Attackers first gain access to the vulnerable system.
-
They download and execute malicious Lua files.
-
The scripts conduct system reconnaissance to gather information about the network.
-
Finally, attackers install remote monitoring and management (RMM) tools to maintain long-term access.
While the information disclosure flaw alone may not give attackers full system control, it can make exploitation of the critical RCE vulnerability easier.
In a proof-of-concept exploit published on GitHub, researcher Julien Ahrens demonstrated how attackers can trigger the vulnerability.
The issue lies in the /loginok.html endpoint, which fails to properly validate the UID session cookie value. If an attacker sends a cookie value longer than the system’s maximum path length, the server responds with an error message that exposes the complete server installation path.
This information can then be used to craft more precise attacks against the system.
Ahrens explained that an attacker with valid authentication could exploit this vulnerability to retrieve internal server path details. These details could then help attackers launch additional attacks, including those targeting CVE-2025-47812.
Although CISA confirmed that the vulnerability is being actively exploited, there are currently no public details explaining exactly how attackers are using it in real-world attacks.
It also remains unclear whether threat actors are combining this information disclosure bug with the critical remote code execution vulnerability to achieve deeper system compromise.
However, the addition of CVE-2025-47813 to the KEV catalog indicates that the risk is significant enough to require immediate attention from organizations.
Because of the active exploitation risk, CISA has instructed U.S. Federal Civilian Executive Branch (FCEB) agencies to apply the necessary patches as soon as possible.
The agency has set March 30, 2026, as the deadline for federal agencies to secure their systems and eliminate the vulnerability from their networks.
Organizations using Wing FTP Server should take the following security steps immediately:
Upgrade to version 7.4.4 or later to patch the vulnerability.
Monitor server logs for unusual login attempts or abnormal cookie values.
Restrict external access to FTP management interfaces whenever possible.
Apply security monitoring to detect suspicious scripts or unauthorized remote tools.
Implement network segmentation to limit the impact of potential breaches.
The addition of CVE-2025-47813 to CISA’s Known Exploited Vulnerabilities catalog highlights how even medium-severity flaws can become serious threats when combined with other vulnerabilities.
In this case, an information disclosure bug in Wing FTP Server could help attackers gather critical system details that may support the exploitation of more dangerous vulnerabilities like CVE-2025-47812.
For organizations running Wing FTP Server, patching the system immediately and strengthening monitoring capabilities is the best way to reduce the risk of compromise. Keeping software updated and addressing even moderate vulnerabilities quickly remains a key part of modern cybersecurity defense strategies.
Interesting Article : Meta to End Instagram Encrypted Chats in May 2026