CISA Flags Actively Exploited Wing FTP Vulnerability Exposing Server Paths

Attackers leverage minor flaw to prepare for deeper system compromise

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly observed vulnerability in Wing FTP Server to its Known Exploited Vulnerabilities (KEV) catalog. Although the flaw carries a medium severity score, its real-world impact tells a more serious story.

The vulnerability, CVE-2025-47813, exposes sensitive server-side information under specific conditions. In particular, it allows attackers to retrieve the full installation path of the application—an insight that can significantly aid further exploitation.

What’s the Core Issue?

The flaw originates from improper validation of the UID session cookie. When an attacker supplies an excessively long value, the server generates an error message that unintentionally reveals internal system paths.

At first glance, this may seem like a low-risk issue. However, attackers rarely operate in isolation. Instead, they chain vulnerabilities together—and that’s where the real danger emerges.

Why This Matters More Than It Seems

This information disclosure vulnerability becomes critical when combined with another flaw: CVE-2025-47812, a remote code execution (RCE) vulnerability affecting the same software.

Attackers can use leaked server paths to:

• Map the internal environment
• Identify execution points
• Increase the success rate of RCE attacks

As a result, even a medium-severity flaw becomes a stepping stone to full system compromise.

Evidence of Active Exploitation

Security researchers have already observed attackers exploiting the RCE vulnerability in real-world scenarios. Threat actors have been seen:

• Deploying malicious Lua scripts
• Conducting reconnaissance on infected systems
• Installing remote monitoring and management (RMM) tools

Meanwhile, the inclusion of CVE-2025-47813 in the KEV catalog confirms that attackers are actively leveraging this flaw as part of their attack chain.

Affected Versions and Fixes

The issue impacts Wing FTP Server versions up to 7.4.3. However, version 7.4.4, released earlier, addresses both:

• The information disclosure flaw (CVE-2025-47813)
• The critical RCE vulnerability (CVE-2025-47812)

Therefore, organizations still running older versions face a significantly elevated risk.

What Organizations Should Do Now

CISA has set a remediation deadline of March 30, 2026 for federal agencies. However, private organizations should act immediately.

Recommended actions:

• Upgrade Wing FTP Server to version 7.4.4 or later
• Monitor logs for unusual authentication or cookie manipulation attempts
• Restrict external access to FTP services wherever possible
• Implement layered security controls to detect post-exploitation behavior

Final Insight

This incident reinforces a critical cybersecurity lesson:
Attackers don’t rely on single vulnerabilities—they build attack chains.

Even seemingly minor flaws can become powerful entry points when combined with high-impact exploits. Therefore, organizations must treat all actively exploited vulnerabilities with urgency, regardless of their CVSS score.