CISA Flags Year-Old Wing FTP Vulnerability as Exploited

Summary

CISA added CVE-2025-47813, a year-old Wing FTP Server vulnerability, to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The medium-severity flaw allows attackers to disclose the application's full local installation path via an overlong UID cookie, which can be chained with the critical CVE-2025-47812 (RCE) for deeper compromise. Federal agencies are required to patch by March 30, 2026.

Full text

The US cybersecurity agency CISA on Monday warned that a year-old Wing FTP vulnerability has been exploited in the wild. A free secure FTP server for Windows, macOS, and Linux, Wing FTP supports multiple file transfer protocols and allows administrators to manage and monitor the server remotely from a web-based interface. Tracked as CVE-2025-47813, the medium-severity flaw could lead to the disclosure of the full local installation path of the application when a long value is used in the UID cookie of a logged-in session. The bug was disclosed on May 14, 2025, when Wing FTP Server version 7.4.4 was rolled out with patches for it. On Monday, CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it by March 30. The security defect impacted Wing FTP’s loginok.html endpoint, which failed to properly validate the UID cookie, allowing an attacker to obtain the full installation path by supplying an overlong value.Advertisement. Scroll to continue reading. “If a value is supplied on this way that is longer than the maximum path size of the underlying operating system, an error message is triggered which discloses the full local server path,” explained Julien Ahrens of RCE Security, who found the bug and published proof-of-concept (PoC) code for it. According to the security researcher, attackers could leverage the application’s local server path to exploit other vulnerabilities in Wing FTP. One of them is CVE-2025-47812, a critical-severity flaw that leads to remote code execution. CVE-2025-47812, also patched in Wing FTP Server version 7.4.4, was flagged as exploited in June 2025, when Censys said that roughly 5,000 internet-accessible servers were likely susceptible to exploitation via POST requests. CVE-2025-47812 was added to CISA’s KEV list in July 2025. Related: In Other News: N8n Flaw Exploited, Slopoly Malware, Interpol Cybercrime Crackdown Related: Chrome 146 Update Patches Two Exploited Zero-Days Related: Recent Ivanti Endpoint Manager Flaw Exploited in Attacks Related: Recent Cisco Catalyst SD-WAN Vulnerability Now Widely Exploited Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Critical HPE AOS-CX Vulnerability Allows Admin Password ResetsBold Security Emerges From Stealth With $40 Million in FundingGoogle Paid Out $17 Million in Bug Bounty Rewards in 2025Onyx Security Launches With $40 Million in FundingChrome 146 Update Patches Two Exploited Zero-DaysAlly WordPress Plugin Flaw Exposes Over 200,000 Websites to AttacksSplunk, Zoom Patch Severe VulnerabilitiesCisco Patches High-Severity IOS XR Vulnerabilities Latest News AI, APIs and DDoS Collide in New Era of Coordinated CyberattacksOracle EBS Hack: Only 4 Corporate Giants Still Silent on Potential ImpactSecurity Firm Executive Targeted in Sophisticated Phishing AttackChina-Linked Hackers Hit Asian Militaries in Patient Espionage OperationThreat Actor Targeting VPN Users in New Credential Theft CampaignForceMemo: Python Repositories Compromised in GlassWorm AftermathHacking Attempt Reported at Poland’s Nuclear Research CenterLoblaw Data Breach Impacts Customer Information Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the MoveSonicWall has appointed Patrick O’Donnell as its new Chief Revenue Officer.The US Senate has confirmed Army Lt. Gen. Joshua Rudd to lead NSA and CYBERCOM.Business software company Rippling has appointed Adrian Ludwig as CSO.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2025-47813
• cve — CVE-2025-47812