CISA Adds Actively Exploited Wing FTP Vulnerability to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-47813, a medium-severity information disclosure flaw in Wing FTP Server, to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation. The vulnerability, assigned a CVSS score of 4.3, leaks the application’s installation path when a maliciously crafted UID cookie triggers an error message.
Affected versions include all releases up to and including 7.4.3, with a patch issued in Wing FTP Server 7.4.4 (released in May 2025). The fix was disclosed responsibly by RCE Security researcher Julien Ahrens, who demonstrated in a proof-of-concept (PoC) exploit that the flaw stems from improper validation of the UID cookie in the /loginok.html endpoint. When exploited, the vulnerability reveals the server’s full local path, potentially aiding attackers in chaining exploits including the critical remote code execution (RCE) bug CVE-2025-47812 (CVSS 10.0), which has also been actively exploited since July 2025.
Security firm Huntress reported that threat actors have leveraged CVE-2025-47812 to execute malicious Lua scripts, conduct reconnaissance, and deploy remote monitoring and management (RMM) tools. While it remains unclear whether CVE-2025-47813 is being used in tandem with the RCE flaw, CISA’s inclusion in the KEV catalog underscores its real-world risk.
Federal Civilian Executive Branch (FCEB) agencies are required to remediate the vulnerability by March 30, 2026, though no additional details on the exploitation campaign have been disclosed.
Source: https://thehackernews.com/2026/03/cisa-flags-actively-exploited-wing-ftp.html
Wingtech 闻泰科技 cybersecurity rating report: https://www.rankiteo.com/company/wingtech-group
"id": "WIN1773736190",
"linkid": "wingtech-group",
"type": "Vulnerability",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology',
'name': 'Wing FTP Server',
'type': 'Software'}],
'attack_vector': 'Maliciously crafted UID cookie',
'data_breach': {'sensitivity_of_data': 'Low (installation path)',
'type_of_data_compromised': 'Application installation path'},
'date_publicly_disclosed': '2025-05',
'description': 'The U.S. Cybersecurity and Infrastructure Security Agency '
'(CISA) has added CVE-2025-47813, a medium-severity '
'information disclosure flaw in Wing FTP Server, to its Known '
'Exploited Vulnerabilities (KEV) catalog after confirming '
'active exploitation. The vulnerability leaks the '
'application’s installation path when a maliciously crafted '
'UID cookie triggers an error message. This flaw is being '
'exploited alongside the critical RCE bug CVE-2025-47812 (CVSS '
'10.0).',
'impact': {'data_compromised': 'Application installation path',
'systems_affected': 'Wing FTP Server (versions up to and including '
'7.4.3)'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': 'Patch released in Wing FTP '
'Server 7.4.4',
'root_causes': 'Improper validation of UID cookie '
'in /loginok.html endpoint'},
'recommendations': 'Upgrade to Wing FTP Server 7.4.4 or later to remediate '
'CVE-2025-47813 and CVE-2025-47812. Federal agencies must '
'comply by March 30, 2026.',
'references': [{'source': 'CISA KEV Catalog'},
{'source': 'RCE Security (Julien Ahrens)'},
{'source': 'Huntress'}],
'regulatory_compliance': {'regulatory_notifications': 'CISA KEV catalog '
'inclusion'},
'response': {'containment_measures': 'Patch issued in Wing FTP Server 7.4.4',
'remediation_measures': 'Upgrade to Wing FTP Server 7.4.4 or '
'later'},
'stakeholder_advisories': 'Federal Civilian Executive Branch (FCEB) agencies '
'must remediate by March 30, 2026.',
'title': 'CISA Adds Actively Exploited Wing FTP Vulnerability to KEV Catalog',
'type': 'Information Disclosure, Remote Code Execution',
'vulnerability_exploited': ['CVE-2025-47813', 'CVE-2025-47812']}