The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially recognized the active exploitation of a medium-severity vulnerability, CVE-2025-47813, affecting Wing FTP Server. This disclosure, made on March 17, 2026, places the vulnerability on CISA’s Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to implement patches.
This information disclosure flaw, assigned a CVSS score of 4.3, can lead to the exposure of the Wing FTP Server’s installation path under specific circumstances. CISA indicated that the vulnerability arises from error messages containing sensitive data when a lengthy value is provided within the UID cookie.
Wing FTP Server Vulnerability and Exploitation
The identified vulnerability impacts all versions of Wing FTP Server up to and including version 7.4.3. A fix was subsequently implemented in version 7.4.4, which was released in May of the preceding year following a responsible disclosure by researcher Julien Ahrens of RCE Security.
It is important to note that version 7.4.4 also addresses CVE-2025-47812, a critical remote code execution vulnerability with a CVSS score of 10.0. This critical flaw has reportedly been under active exploitation since July 2025. Data shared by Huntress at the time indicated that attackers were leveraging CVE-2025-47812 to download and execute malicious Lua files, conduct reconnaissance, and deploy remote monitoring and management software.
Technical Details of CVE-2025-47813
Julien Ahrens provided a proof-of-concept exploit on GitHub, detailing how the endpoint at “/loginok.html” fails to adequately validate the “UID” session cookie. Consequently, if the provided UID value exceeds the maximum path size supported by the underlying operating system, an error message is generated. This error message then reveals the application’s full local server path.
Ahrens stated that a successful exploitation of this vulnerability could grant an authenticated attacker the local server path of the application. This information could then be used to facilitate the exploitation of other vulnerabilities, such as the critical CVE-2025-47812.
Implications and Remediation Timeline
Currently, there are no publicly available details confirming whether CVE-2025-47813 is being actively abused in conjunction with CVE-2025-47812 in the wild. However, CISA’s inclusion of the vulnerability in the KEV catalog signifies a credible threat.
In response to this advisory, Federal Civilian Executive Branch (FCEB) agencies are directed to apply the necessary security updates and patches by March 30, 2026. This deadline underscores the agency’s commitment to mitigating potential risks associated with known exploited vulnerabilities on government systems.