CISA has officially added a medium-severity information disclosure flaw in Wing FTP Server to its list of actively exploited vulnerabilities. This bug, identified as CVE-2025-47813, allows attackers to discover the local installation path of the software, which can subsequently be used to facilitate more destructive attacks.
The federal government has taken action following evidence that attackers are actively targeting a specific weakness in Wing FTP Server. This vulnerability stems from the way the application generates error messages when it receives an excessively long value in a session cookie. When triggered, the system inadvertently reveals sensitive details about the server's internal file structure to the user.
While this specific issue is rated as medium severity, its real-world danger lies in how it assists other exploits. By knowing the exact local path of the application, a malicious actor can more effectively deploy a separate, critical vulnerability that allows for total remote control of the server. This combination of bugs has already been observed in the wild, where attackers have used them to run malicious scripts and install unauthorized monitoring software.
The security researcher who discovered the flaw found that the login page fails to properly check the length of the UID cookie. If a hacker provides a value that exceeds the operating system’s maximum path limit, the server crashes into an error state that displays the full directory path. This information acts as a map for attackers who are looking for specific locations to place or execute malicious files on the host machine.
The developer released a patch for this issue in version 7.4.4, which also addressed the much more severe remote code execution bug. All versions of the software up to 7.4.3 remain vulnerable to these tactics. Because these flaws are being used in actual attacks, it is essential for organizations using this software to update their systems immediately to prevent unauthorized access.
Government agencies and private organizations have been given a clear deadline to remediate these systems to protect their infrastructure. With the exploit code already publicly available on platforms like GitHub, the window for securing these servers is closing quickly. Experts recommend that all administrators verify their software version and apply the May update to block both the information leak and the critical execution path.
Source: CISA Flags Actively Exploited Wing FTP Bug Leaking Server Paths