The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Monday added a medium-severity safety flaw impacting Wing FTP to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
The vulnerability, CVE-2025-47813 (CVSS rating: 4.3), is an info disclosure vulnerability that leaks the set up path of the appliance beneath sure situations.
“Wing FTP Server incorporates a technology of error messages containing delicate info vulnerability when utilizing an extended worth within the UID cookie,” CISA stated.
The shortcoming impacts all variations of the software program previous to and together with model 7.4.3. The difficulty was addressed in model 7.4.4, shipped in Could following a accountable disclosure by RCE Safety researcher Julien Ahrens.
It is value noting that model 7.4.4 additionally patches CVE-2025-47812 (CVSS rating: 10.0), one other essential bug in the identical product that permits for distant code execution. As of July 2025, the vulnerability has come beneath energetic exploitation within the wild.
In line with particulars shared by Huntress on the time, attackers have leveraged it to obtain and execute malicious Lua recordsdata, conduct reconnaissance, and set up distant monitoring and administration software program.
Ahrens, in a proof-of-concept (PoC) exploit, shared on GitHub, famous that the endpoint at “/loginok.html” doesn’t correctly validate the worth of the “UID” session cookie. Because of this, if the provided worth is longer than the utmost path measurement of the underlying working system, it triggers an error message that discloses the total native server path.
“Profitable exploits can enable an authenticated attacker to get the native server path of the appliance, which may also help in exploiting vulnerabilities like CVE-2025-47812,” the researcher added.
There are presently no particulars on how the vulnerability is being exploited within the wild, and if it is being abused together with CVE-2025-47812. In gentle of the most recent growth, Federal Civilian Government Department (FCEB) companies are advisable to use the mandatory fixes by March 30, 2026.
