The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a medium-severity security flaw affecting Wing FTP to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
This vulnerability, CVE-2025-47813 (CVSS score: 4.3), is an information disclosure vulnerability that allows the installation path of an application to be leaked under certain conditions.
“The Wing FTP server contains a series of error messages that include a vulnerability of sensitive information when using long values for UID cookies,” CISA said.
This drawback affects all versions of the software prior to version 7.4.3. This issue was resolved in version 7.4.4 shipped in May following a responsible disclosure by RCE security researcher Julien Ahrens.
It is worth noting that version 7.4.4 also patches CVE-2025-47812 (CVSS score: 10.0), another critical bug in the same product that allows remote code execution. As of July 2025, this vulnerability is being exploited in the wild.
According to details shared by Huntress at the time, the attackers exploited this to download and execute malicious Lua files, conduct reconnaissance, and install remote monitoring and management software.
In a proof-of-concept (PoC) exploit shared on GitHub, Ahrens pointed out that the “/loginok.html” endpoint does not properly validate the value of the “UID” session cookie. As a result, if the value specified is longer than the maximum path size of the underlying operating system, an error message is displayed that indicates the full path on the local server.
“A successful exploit could allow an authenticated attacker to obtain the application’s local server path, which could be useful in exploiting vulnerabilities like CVE-2025-47812,” the researchers added.
Details about how this vulnerability is being exploited in the wild and whether it is being exploited in conjunction with CVE-2025-47812 are currently unknown. In light of the latest developments, Federal Civilian Executive Branch (FCEB) agencies are encouraged to apply the necessary amendments by March 30, 2026.
Source link
