The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly identified vulnerability affecting Wing FTP Server to its Known Exploited Vulnerabilities (KEV) catalog, highlighting active exploitation risks in real-world environments. The flaw, tracked as CVE-2025-47813 with a CVSS score of 4.3, is categorized as an information disclosure vulnerability that can expose sensitive system details under specific conditions.
The issue impacts all versions of Wing FTP Server up to and including version 7.4.3. It has been addressed in version 7.4.4, which was released following responsible disclosure by security researcher Julien Ahrens. Despite its medium severity rating, the vulnerability has raised concerns due to its potential role in broader cyberattack chains.
According to CISA, the vulnerability stems from improper handling of error messages when processing long values in the UID session cookie. When the value exceeds the system’s maximum path length, the application generates an error that unintentionally reveals the full installation path of the server. This information disclosure could provide attackers with critical insights into system architecture, increasing the likelihood of further exploitation.
Security experts note that while CVE-2025-47813 alone may not directly compromise systems, it can act as a stepping stone for more severe attacks. Notably, version 7.4.4 also patches a critical vulnerability, CVE-2025-47812, which carries a CVSS score of 10.0 and enables remote code execution. This critical flaw has already been observed in active exploitation scenarios, making the combination of both vulnerabilities particularly concerning for organizations using outdated software versions.
Threat intelligence reports indicate that attackers exploiting CVE-2025-47812 have used it to deploy malicious Lua scripts, perform system reconnaissance, and install remote monitoring and management tools. The disclosure of server paths through CVE-2025-47813 could further assist attackers in refining their attack strategies and targeting vulnerable systems more effectively.
Julien Ahrens demonstrated in a proof-of-concept exploit that the endpoint “/loginok.html” fails to properly validate UID cookie values. By manipulating this parameter, an authenticated attacker can trigger error responses that expose sensitive system paths, potentially aiding in subsequent exploitation efforts.
Although there is no confirmed evidence yet that both vulnerabilities are being chained together in active attacks, cybersecurity authorities warn that such scenarios remain highly plausible. As a precaution, Federal Civilian Executive Branch (FCEB) agencies have been directed to apply necessary patches and mitigations by March 30, 2026.
This development underscores the growing importance of proactive vulnerability management, timely patching, and robust cybersecurity practices as organizations continue to face increasingly sophisticated and multi-layered cyber threats.
Recommended Cyber News :
- How Access Control Works: Practical Guide for IT and Security Teams
- Key Features of MaaS: What to Look for in Monitoring Solution?
- Top Compliance Automation and Adaptive Policy Management Tools
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
