CISA KEV Alert: Actively Exploited Wing FTP Server Flaw Added to Catalog

Executive Summary

On March 16, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a vulnerability affecting Wing FTP Server to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies patch the flaw by March 30, 2026. The vulnerability, tracked as CVE-2025-47813, is a medium-severity information disclosure flaw that is now confirmed to be actively exploited by threat actors.

The flaw allows an unauthenticated attacker to retrieve the full local installation path of the server software. While path disclosure is not as severe as remote code execution, its inclusion in the KEV catalog highlights that attackers are actively using it as a crucial first step in their attack chains. This information helps them tailor subsequent exploits against the target system. A patch has been available from the vendor since May 2025, and all organizations using Wing FTP Server are strongly urged to update immediately.

Vulnerability Details

CVE ID: CVE-2025-47813
CVSS Score: 4.3 (Medium)
Vulnerability Type: Information Disclosure
Description: The vulnerability exists in the web authentication process of the Wing FTP Server. An unauthenticated remote attacker can send a specially crafted HTTP request to the loginok.html page containing an overly long value in the UID cookie. The server fails to handle this input properly and responds with an error message that contains the full, absolute file path of the server's installation directory (e.g., C:\Program Files\Wing FTP Server\).
Attack Vector: Remote, unauthenticated.

Affected Systems

Wing FTP Server: All versions prior to 7.4.4.

Exploitation Status

CISA has confirmed that CVE-2025-47813 is being actively exploited in the wild. Attackers are using this vulnerability for reconnaissance purposes. The information disclosure provides them with valuable intelligence about the target environment, such as the operating system (inferred from the path structure) and the exact location of server files. This knowledge can be used to facilitate more complex attacks, such as exploiting a file upload vulnerability to place a webshell in a known location or targeting other vulnerabilities that require knowledge of the server's file structure.

Impact Assessment

On its own, this vulnerability has a limited impact. It does not grant the attacker access to data or the ability to execute code. However, its true danger lies in its role as an enabler for more serious attacks. By revealing the server's installation path, it lowers the barrier for an attacker to:

Target other vulnerabilities: Knowing the exact path makes it easier to craft exploits for path traversal or file inclusion vulnerabilities.
Upload malicious files: If an attacker finds another flaw that allows file uploads, they know exactly where to place a script or executable to be able to access it from the web.
Fingerprint the system: The path structure (C:\... vs. /var/www/...) instantly tells the attacker if the server is running on Windows or Linux, allowing them to focus their efforts with OS-specific exploits.

Its addition to the KEV catalog means that CISA has credible evidence that this reconnaissance step is part of an active attack chain leading to greater compromise.

Cyber Observables for Detection

Detection should focus on anomalous requests to the server's web interface.

Type

url_pattern

Value

*/loginok.html

Description

Monitor for requests to this specific page, especially those that result in a server error (HTTP 500).

Context

Web server access logs, WAF logs

Confidence

High

Type

network_traffic_pattern

Value

Unusually long UID cookie value

Description

Inspect HTTP headers for requests containing a UID cookie with a value significantly longer than normal (e.g., > 1024 bytes).

Context

WAF, IDS/IPS, Deep Packet Inspection

Confidence

High

Type

log_source

Value

Wing FTP Server application logs

Description

Review server logs for error messages related to malformed authentication requests or cookie handling.

Context

Application log analysis

Confidence

Medium

Detection Methods

Web Application Firewall (WAF): Implement a WAF rule to inspect the length and content of the UID cookie in requests to the Wing FTP Server web interface. Block any requests with an abnormally long value.
Log Analysis: Ingest Wing FTP Server web access logs into a SIEM. Create an alert rule to trigger on multiple HTTP 500 errors for the loginok.html page, especially if originating from the same source IP address. This could indicate scanning or exploitation attempts.
Vulnerability Scanning: Regularly scan your external perimeter for instances of Wing FTP Server and verify they are running version 7.4.4 or later.

Remediation Steps

Update Software (M1051 - Update Software): The primary and most effective remediation is to upgrade all instances of Wing FTP Server to version 7.4.4 or newer. The patch has been available since May 2025.
Restrict Access (M1035 - Limit Access to Resource Over Network): If the web administration interface is not required for public access, restrict access to it using a firewall. Allow connections only from trusted internal IP addresses or an administrative VPN.
Virtual Patching: If immediate upgrading is not possible, use a WAF or IDS/IPS to create a virtual patch that blocks requests matching the exploit signature (i.e., long UID cookie value sent to loginok.html). This is a temporary compensating control and not a substitute for updating the software.

CISA Adds Actively Exploited Wing FTP Server Information Disclosure Flaw (CVE-2025-47813) to KEV Catalog