A recently flagged Wing FTP vulnerability is now under active exploitation, prompting urgent warnings from US cybersecurity officials.
Quick Summary – TLDR:
- CISA added CVE-2025-47813 to its Known Exploited Vulnerabilities list.
- The flaw leaks sensitive server installation paths through error messages.
- It can aid exploitation of a critical remote code execution bug.
- Federal agencies are ordered to patch systems by March 30, 2026.
What Happened?
The US Cybersecurity and Infrastructure Security Agency has warned that a Wing FTP Server vulnerability is being actively exploited in the wild. The issue exposes sensitive server details and could help attackers launch more serious attacks.
⚠️ CISA flags CVE-2025-47813 in Wing FTP as actively exploited.
— The Hacker News (@TheHackersNews) March 17, 2026
It leaks server paths via cookie errors—low severity, high value. Attackers can pair it with a known RCE flaw already used to deploy malware.
🔗 How it enables real attack chains → https://t.co/Rc3hBfsIPB
CISA Flags Active Exploitation Risk
The vulnerability, tracked as CVE-2025-47813, is classified as a medium severity information disclosure flaw with a CVSS score of 4.3. Despite its moderate rating, CISA added it to the Known Exploited Vulnerabilities catalog, confirming real world abuse.
Wing FTP Server, a widely used tool that supports multiple file transfer protocols across Windows, macOS, and Linux, is commonly managed through a web-based interface. This makes any exposed data especially valuable to attackers.
According to CISA, the flaw allows sensitive information leakage when a long value is passed into the UID cookie during an authenticated session. This triggers an error message that reveals the full local installation path of the server.
How the Vulnerability Works?
Security researcher Julien Ahrens from RCE Security, who discovered the flaw, explained the root cause in detail.
“If a value is supplied on this way that is longer than the maximum path size of the underlying operating system, an error message is triggered which discloses the full local server path,” he said.
The issue specifically affects the loginok.html endpoint, which fails to properly validate the UID cookie. Attackers can exploit this weakness by sending an overly long value, forcing the application to expose internal system details.
Key technical points include:
- Affects Wing FTP versions up to 7.4.3.
- Fixed in version 7.4.4 released in May 2025.
- Requires an authenticated session to exploit.
- Results in full disclosure of server installation paths.
Link to Critical Remote Code Execution Bug
While CVE-2025-47813 alone does not provide direct system access, it becomes significantly more dangerous when combined with another flaw.
Researchers warn that attackers can use the leaked server path to help exploit CVE-2025-47812, a critical vulnerability with a CVSS score of 10.0 that allows remote code execution.
This critical bug has already seen active exploitation since mid 2025. Security firm Huntress reported that attackers used it to:
- Download and execute malicious Lua files.
- Perform system reconnaissance.
- Install remote monitoring and management tools.
At one point, around 5,000 internet exposed servers were believed to be vulnerable to this attack chain.
Urgent Patch Deadline for Agencies
CISA has directed Federal Civilian Executive Branch agencies to remediate the issue by March 30, 2026.
Even though there are no confirmed details on how CVE-2025-47813 is currently being exploited, its inclusion in the KEV catalog signals that attackers are already leveraging it in real world scenarios.
Organizations using Wing FTP are strongly advised to:
- Upgrade immediately to version 7.4.4 or later.
- Review systems for suspicious activity.
- Limit exposure of internet facing FTP services.
SQ Magazine’s Takeaway
I think this is a classic example of why even a medium severity bug should never be ignored. On its own, this vulnerability might look harmless, but in reality, it acts like a gateway for much more dangerous attacks.
When attackers can combine small leaks like this with critical flaws, the damage can escalate quickly. If you are running Wing FTP and still have not patched, this is the kind of alert you should treat as urgent, not optional.
