The U.S. Cybersecurity and Infrastructure Security Agency, Cybersecurity and Infrastructure Security Agency, has added a newly identified vulnerability in Wing FTP Server to its Known Exploited Vulnerabilities (KEV) catalog after confirming that the flaw is being actively abused by attackers.
The issue, tracked as CVE-2025-47813 with a CVSS score of 4.3, allows attackers to obtain sensitive system information by exposing the installation path of the server under specific conditions.
Error Messages Reveal Sensitive Server Information
According to the agency, the vulnerability appears when the FTP server processes unusually long values inside the UID session cookie.
When this happens, the application generates an error message that inadvertently exposes sensitive details about the system, including the full local installation path of the server.
This behavior occurs due to insufficient validation of session cookie data, which allows oversized input values to trigger the information leak.
Affected Versions and Security Patch
The vulnerability affects all releases of Wing FTP Server up to and including version 7.4.3.
Developers addressed the issue in version 7.4.4, which was released in May after a responsible disclosure from security researcher Julien Ahrens of RCE Security.
Critical Remote Code Execution Bug Also Patched
The same update also resolved another serious vulnerability, CVE-2025-47812, which carries a CVSS score of 10.0 and allows attackers to execute code remotely on affected systems.
Security researchers previously observed active exploitation of this critical flaw in the wild during July 2025.
Investigations from Huntress revealed that attackers used the vulnerability to download malicious Lua scripts, perform system reconnaissance, and deploy remote monitoring tools on compromised servers.
Proof-of-Concept Demonstrates Exploit Technique
A proof of concept exploit published by Julien Ahrens shows that the endpoint /loginok.html fails to properly validate the value contained in the UID cookie.
If an attacker supplies a value that exceeds the maximum file path length supported by the operating system, the server returns an error message containing the complete local server directory.
While the vulnerability itself only exposes information, the leaked path data can help attackers perform further attacks, especially when combined with vulnerabilities like CVE-2025-47812.
Federal Agencies Urged to Apply Fixes
Although detailed information about current exploitation methods has not been disclosed, security authorities confirmed that the flaw is actively being abused.
Because of this risk, U.S. federal civilian agencies are required to apply the available security updates by March 30, 2026.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
