In an alert by the U.S. Cybersecurity and Infrastructure Security Agency the alert said it added CVE-2025-47813 to its Known Exploited Vulnerabilities catalog on Monday after finding evidence of active exploitation. The medium severity information disclosure bug has a CVSS score of 4.3 and affects Wing FTP Server up to and including version 7.4.3.
KEY FACTS
- Vulnerability CVE-2025-47813, information disclosure, CVSS 4.3
- Affected software Wing FTP Server versions prior to and including 7.4.3
- Fix Patched in version 7.4.4 released in May 2025
- FCEB guidance Agencies advised to apply fixes by March 30, 2026
The flaw causes the application to generate error messages that reveal the installation path when a long value is supplied in the UID session cookie for the /loginok.html endpoint. A proof-of-concept on GitHub provides technical details showing how an oversized UID can trigger the disclosure.
All versions prior to and including 7.4.3 are affected. The vendor issued version 7.4.4 in May 2025 to address this issue. That release also corrected a separate critical remote code execution bug tracked as CVE-2025-47812.
CVE-2025-47812 has been observed exploited in the wild. Exploitation of that bug has been used to download and run malicious Lua files, conduct reconnaissance, and install remote monitoring and management software.
There are no public details indicating how CVE-2025-47813 is being exploited in the wild or whether it is being used together with the RCE bug. Federal Civilian Executive Branch agencies are recommended to apply the available fixes by March 30, 2026.
WHY IT MATTERS
An information disclosure that reveals a server’s local path can aid attackers in crafting further exploits, including targeting known remote code execution flaws. Organizations running affected Wing FTP versions should install 7.4.4 or later to remove the exposure.