The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Monday added a medium-severity security flaw impacting Wing FTP to its Identified Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
The vulnerability, CVE-2025-47813 (CVSS rating: 4.3), is an info disclosure vulnerability that leaks the set up path of the applying underneath sure situations.
“Wing FTP Server comprises a technology of error messages containing delicate info vulnerability when utilizing an extended worth within the UID cookie,” CISA stated.
The shortcoming impacts all variations of the software program previous to and together with model 7.4.3. The difficulty was addressed in model 7.4.4, shipped in Might following a accountable disclosure by RCE Safety researcher Julien Ahrens.
It is price noting that model 7.4.4 additionally patches CVE-2025-47812 (CVSS rating: 10.0), one other crucial bug in the identical product that permits for distant code execution. As of July 2025, the vulnerability has come underneath energetic exploitation within the wild.
In keeping with particulars shared by Huntress on the time, attackers have leveraged it to obtain and execute malicious Lua recordsdata, conduct reconnaissance, and set up distant monitoring and administration software program.
Ahrens, in a proof-of-concept (PoC) exploit, shared on GitHub, famous that the endpoint at “/loginok.html” doesn’t correctly validate the worth of the “UID” session cookie. Consequently, if the provided worth is longer than the utmost path measurement of the underlying working system, it triggers an error message that discloses the complete native server path.
“Profitable exploits can permit an authenticated attacker to get the native server path of the applying, which may help in exploiting vulnerabilities like CVE-2025-47812,” the researcher added.
There are presently no particulars on how the vulnerability is being exploited within the wild, and if it is being abused at the side of CVE-2025-47812. In gentle of the most recent growth, Federal Civilian Govt Department (FCEB) businesses are really helpful to use the mandatory fixes by March 30, 2026.
