Full Report
CISA warned U.S. government agencies to secure their Wing FTP Server instances against an actively exploited vulnerability that may be chained in remote code execution attacks. [...]
Analysis Summary
# Vulnerability: Wing FTP Server Information Disclosure (Path Traversal/Leak)
## CVE Details
- **CVE ID:** CVE-2025-47813
- **CVSS Score:** Not explicitly listed in text (Note: Often chained with CVE-2025-47812 which is Critical)
- **CWE:** CWE-209 (Generation of Error Message Containing Sensitive Information)
## Affected Systems
- **Products:** Wing FTP Server (Cross-platform FTP/SFTP/Web server)
- **Versions:** All versions prior to v7.4.4
- **Configurations:** Systems where the web interface is accessible and the application handles UID cookies.
## Vulnerability Description
The vulnerability is an information disclosure flaw triggered when the server processes an exceptionally "long value" within the **UID cookie**. When this malformed cookie is processed, the application generates an error message that reveals the full local installation path of the server. While seemingly minor, this exposure provides attackers with critical reconnaissance data needed to weaponize other vulnerabilities.
## Exploitation
- **Status:** Exploited in the wild (Added to CISA KEV Catalog as of March 2026)
- **Complexity:** Low
- **Attack Vector:** Network
- **PoC Available:** Yes (Released by researcher Julien Ahrens in June 2025)
## Impact
- **Confidentiality:** Low/Medium (Disclosure of system file paths)
- **Integrity:** None (Directly); High (If chained with RCE)
- **Availability:** None
- **Note:** This flaw is frequently chained with **CVE-2025-47812** (Remote Code Execution) to facilitate more impactful attacks.
## Remediation
### Patches
- **Wing FTP Server v7.4.4:** Released in May 2025. This version addresses CVE-2025-47813, CVE-2025-47812 (RCE), and CVE-2025-27889 (Password Theft).
### Workarounds
- No specific software workarounds provided; CISA recommends discontinuing use of the product if the patch cannot be applied.
- Restrict access to the web administration and file transfer interfaces to trusted IP addresses only.
## Detection
- **Indicators of Compromise:** Unusual error logging associated with elongated UID cookie strings.
- **Detection methods and tools:**
- Security teams should scan for Wing FTP Server versions earlier than 7.4.4.
- Monitor web server logs for exploitation attempts targeting the UID cookie field.
## References
- **Vendor History:** hxxps[://]www[.]wftpserver[.]com/serverhistory[.]htm
- **CISA KEV Catalog:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **Researcher PoC:** hxxps[://]github[.]com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-47813[.]txt
- **BleepingComputer Article:** hxxps[://]www[.]bleepingcomputer[.]com/news/security/cisa-flags-wing-ftp-server-flaw-as-actively-exploited-in-attacks/