The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a medium-severity flaw in Wing FTP to its catalog of Known Exploited Vulnerabilities (KEV). This decision comes in response to evidence of ongoing exploitation of the vulnerability. Identified as CVE-2025-47813 and carrying a CVSS score of 4.3, this flaw involves the unintended exposure of installation paths under specific conditions.
Details of the Wing FTP Vulnerability
The vulnerability, as outlined by CISA, is triggered when a long value is input in the UID cookie, causing error messages that reveal sensitive information. This issue affects all software versions up to and including 7.4.3. The security loophole has been rectified in version 7.4.4, released in May, thanks to responsible disclosure by RCE Security researcher Julien Ahrens.
Additionally, version 7.4.4 addresses another critical vulnerability, CVE-2025-47812, which has a CVSS score of 10.0. This separate flaw allows for remote code execution and has been actively exploited since July 2025.
Exploitation and Patches
According to Huntress, attackers have utilized CVE-2025-47812 to execute malicious Lua files, perform reconnaissance, and install remote monitoring software. A proof-of-concept exploit, shared by Ahrens on GitHub, demonstrates that the endpoint at “/loginok.html” fails to properly validate the UID session cookie. If the provided value exceeds the operating system’s maximum path length, it results in an error message that discloses the local server path.
Such successful exploits can enable authenticated attackers to ascertain the local server path, potentially aiding in further exploitation of vulnerabilities like CVE-2025-47812.
Recommendations for Agencies
As of now, there is no detailed information on the exploitation methods being used in the wild, nor is it clear if this vulnerability is being exploited alongside CVE-2025-47812. In response to these developments, Federal Civilian Executive Branch (FCEB) agencies are advised to implement the necessary updates by March 30, 2026.
This proactive measure is crucial in mitigating potential risks associated with these vulnerabilities, underscoring the importance of timely software updates to safeguard network infrastructures.
