The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a medium-severity security flaw impacting Wing FTP to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability, CVE-2025-47813 (CVSS score: 4.3), is an information disclosure vulnerability that leaks the installation path of the application under certain conditions.
“Wing FTP Server contains a generation of error messages containing sensitive information vulnerability when using a long value in the UID cookie,” CISA said.
The shortcoming affects all versions of the software prior to and including version 7.4.3. The issue was addressed in version 7.4.4, shipped in May following a responsible disclosure by RCE Security researcher Julien Ahrens.
It’s worth noting that version 7.4.4 also patches CVE-2025-47812 (CVSS score: 10.0), another critical bug in the same product that allows for remote code execution. As of July 2025, the vulnerability has come under active exploitation in the wild.
According to details shared by Huntress at the time, attackers have leveraged it to download and execute malicious Lua files, conduct reconnaissance, and install remote monitoring and management software.
Ahrens, in a proof-of-concept (PoC) exploit, shared on GitHub, noted that the endpoint at “/loginok.html” does not properly validate the value of the “UID” session cookie. As a result, if the supplied value is longer than the maximum path size of the underlying operating system, it triggers an error message that discloses the full local server path.
“Successful exploits can allow an authenticated attacker to get the local server path of the application, which can help in exploiting vulnerabilities like CVE-2025-47812,” the researcher added.
There are currently no details on how the vulnerability is being exploited in the wild, and if it’s being abused in conjunction with CVE-2025-47812. In light of the latest development, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply the necessary fixes by March 30, 2026.