Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a medium-severity security flaw impacting Wing FTP to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, CVE-2025-47813 (CVSS score: 4.3), is an information disclosure vulnerability that leaks the installation path of the application under certain conditions
Analysis Summary
# Vulnerability: Wing FTP Server Information Disclosure
## CVE Details
- **CVE ID:** CVE-2025-47813
- **CVSS Score:** 4.3 (Medium)
- **CWE:** CWE-209 (Generation of Error Message Containing Sensitive Information)
## Affected Systems
- **Products:** Wing FTP Server
- **Versions:** All versions prior to and including 7.4.3
- **Configurations:** Systems utilizing the web-based login interface
## Vulnerability Description
Wing FTP Server fails to properly validate the length of the "UID" session cookie at the `/loginok.html` endpoint. When an attacker provides a "UID" value that exceeds the maximum path size of the underlying operating system, the application undergoes an error handling failure. This triggers an error message that discloses the full local installation path of the application on the server.
## Exploitation
- **Status:** Exploited in the wild (Added to CISA KEV catalog)
- **Complexity:** Low
- **Attack Vector:** Network (Authenticated)
- **PoC Available:** Yes (Published by researcher Julien Ahrens)
## Impact
- **Confidentiality:** Low (Information disclosure of server file structure/installation paths)
- **Integrity:** None
- **Availability:** None
- **Note:** While the impact of this specific CVE is medium, it is often used as a reconnaissance step to facilitate more severe attacks, such as CVE-2025-47812 (Remote Code Execution).
## Remediation
### Patches
- **Wing FTP Server Version 7.4.4:** This version addresses the flaw and should be applied immediately.
### Workarounds
- No specific workarounds were provided; upgrading to the patched version is the recommended course of action. CISA mandates federal agencies apply the fix by **March 30, 2026**.
## Detection
- **Indicators of Compromise:** Unusual log entries involving the `/loginok.html` endpoint with abnormally long UID cookie strings.
- **Detection methods and tools:**
- Monitor web server error logs for path disclosure patterns.
- Security teams can use the available PoC to scan internal assets for vulnerability to this specific path disclosure.
- Inspect for concurrent activity related to CVE-2025-47812 (e.g., unauthorized Lua file execution).
## References
- **CISA KEV Catalog:** hxxps[://]www.cisa.gov/known-exploited-vulnerabilities-catalog
- **Researcher Advisory:** hxxps[://]github[.]com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-47813.txt
- **Detailed Technical Analysis:** hxxps[://]www.rcesecurity[.]com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/
- **Original News Source:** hxxps[://]thehackernews[.]com/2026/03/cisa-flags-actively-exploited-wing-ftp.html