CISA adds Wing FTP Server flaw to KEV list after active exploitation warning

CISA has added a Wing FTP Server information disclosure bug to its Known Exploited Vulnerabilities catalog after confirming active exploitation. The flaw, tracked as CVE-2025-47813, affects unpatched Wing FTP Server instances and can expose the full local installation path of the application, which could help attackers build more dangerous exploit chains.

The warning matters because the bug does not stand alone. Wing FTP fixed CVE-2025-47813 in version 7.4.4 alongside a more serious remote code execution flaw, CVE-2025-47812. Security researcher Julien Ahrens has said the path disclosure issue may be used as part of the same attack chain, making the latest CISA action more significant than a routine catalog update.

CISA’s KEV entry describes CVE-2025-47813 as a vulnerability that generates an error message containing sensitive information when a long value is supplied in the UID cookie. In practical terms, that can leak the server’s local install path to a low-privileged attacker on an unpatched system. CISA added the flaw to the KEV catalog on March 16, 2026, based on evidence of active exploitation.

Wing FTP’s own release history shows version 7.4.4, released on May 14, 2025, fixed both the full path disclosure bug and a possible remote code execution vulnerability tied to logged-in sessions running as Root or SYSTEM. That combination helps explain why defenders should treat this issue as more than a minor information leak. On exposed servers, path disclosure can give attackers useful context for follow-on exploitation.

For federal agencies, the CISA listing triggers a firm deadline. Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies have until April 6, 2026, to remediate the issue. While the directive applies to federal systems, CISA also urged all organizations to follow vendor guidance or stop using the product if mitigations are not available.

Why the Wing FTP warning matters

Wing FTP is not a niche utility used by a handful of organizations. The vendor says the product is used by more than 10,000 customers worldwide and supports FTP, SFTP, and web-based file transfer services. That broad footprint means even a flaw that starts as information disclosure can become valuable to attackers looking for footholds in enterprise environments.

The latest CISA action also follows earlier public research around Wing FTP’s remote code execution exposure. Ahrens’ June 2025 write-up on CVE-2025-47812 explained how flaws in the product’s web interface and session handling could lead to code execution as root on Linux or SYSTEM on Windows in default configurations. The same research separately listed CVE-2025-47813 as a local path disclosure issue tied to an overlong UID session cookie.

Wing FTP Server flaw summary

What admins should do now

• Update Wing FTP Server to version 7.4.4 or later.
• Review internet-exposed Wing FTP instances first, especially those with web access enabled.
• Check for unusual activity involving UID cookie handling, unexpected error leakage, or signs of follow-on abuse.
• Prioritize systems that may still run with default high privileges such as Root or SYSTEM.
• Follow CISA guidance and discontinue use if mitigations are unavailable.

FAQ