This Old Wing FTP Bug Is Handing Attackers a Map to Your Server
Federal agencies have until March 30 to patch a Wing FTP Server vulnerability that leaks sensitive server path information and the clock is ticking.
What Happened?
On March 16, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-47813 to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, rated medium severity with a CVSS score of 4.3, affects all versions of Wing FTP Server up to and including 7.4.3.
The bug lives in how the server handles the “UID” session cookie at the /loginok.html endpoint. When an unusually long value is passed through that cookie, the server throws an error — and in doing so, reveals the full local installation path of the application. It’s a small slip with real consequences.
Researcher Julien Ahrens of RCE Security discovered and responsibly disclosed the flaw. A patch shipped in version 7.4.4 back in May 2025.
What’s the Impact?
On its own, leaking a server path sounds minor. It’s not.
This flaw works as a stepping stone. Knowing the server’s installation path gives attackers a cleaner shot at exploiting CVE-2025-47812 — a separate, critical bug in Wing FTP Server that carries a CVSS score of 10.0 and allows full remote code execution. That vulnerability has been actively exploited since at least July 2025.
According to research from Huntress, attackers targeting the RCE vulnerability have downloaded and run malicious Lua files, conducted reconnaissance, and installed remote monitoring tools to maintain access. The information leak from CVE-2025-47813 could make those attacks easier to pull off.
Whether the two flaws are being chained together in the wild right now isn’t confirmed, but the relationship between them is well-documented and CISA flagging the path-disclosure bug this week suggests it’s being used for exactly that purpose.
How to Avoid This
If you’re running Wing FTP Server, the fix is available and straightforward: update to version 7.4.4 or later. That version patches both CVE-2025-47813 and the critical RCE flaw CVE-2025-47812.
For Federal Civilian Executive Branch (FCEB) agencies, CISA has set a hard deadline of March 30, 2026 to apply the patch.
For everyone else: don’t wait on this one. The flaw is being exploited, a proof-of-concept is publicly available on GitHub, and the patch has been out for nearly a year. There’s no reason to leave this open.
A few other steps worth taking alongside the update: audit who has authenticated access to your FTP server, review logs for unusual UID cookie values or unexpected error messages, and check whether remote monitoring tools have been installed without authorization.
