CVE-2025-47813 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-07-10

Added to CISA KEV: 2026-03-16 249 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Upgrade Wing FTP Server to version 7.4.4 or later immediately
Monitor FTP server logs for unusual cookie manipulation or error message generation patterns
Review access controls and authentication mechanisms for FTP services
Consider implementing additional monitoring for reconnaissance activities
PATCH PRIORITY: Medium - While not directly exploitable for RCE, CISA KEV listing indicates use in active attack campaigns

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-47813 is an information disclosure vulnerability affecting Wing FTP Server that has been confirmed as actively exploited in the wild ^[4].

Overview and Impact

The vulnerability exists in the `loginok.html` component of Wing FTP Server. By supplying a specially crafted, long value in the `UID` cookie, an attacker can force the application to disclose its full local installation path?id=CVE-2025-47813?kagi_q=CVE-2025-47813 ^[3].

While this vulnerability is an information disclosure flaw rather than a remote code execution (RCE) bug, it is considered dangerous because it provides critical reconnaissance information. This path disclosure can be used to facilitate the exploitation of other vulnerabilities, such as CVE-2025-47812, by helping attackers map the file system and target specific application files ^[2] ^[5].

Exploitation Details

Active Exploitation: The vulnerability is listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog, confirming it is being actively used in real-world attacks ^[1] ^[6].
Requirements: Exploitation requires low-privileged access to the server ^[4].
Attack Vector: It is a network-based attack, as it involves manipulating cookies sent to the web interface of the FTP server?id=CVE-2025-47813?kagi_q=CVE-2025-47813.

Affected Versions and Mitigation

Affected Versions: Wing FTP Server versions prior to 7.4.4 are vulnerable?id=CVE-2025-47813?kagi_q=CVE-2025-47813.
Status: Users are strongly advised to update to version 7.4.4 or later to remediate the issue. Because this vulnerability is actively exploited, CISA has mandated that federal agencies patch their systems to mitigate the risk of follow-on attacks ^[1] ^[5].

Sources

CVE-2025-47813 Detail - NVD
This CVE is in CISA's Known Exploited Vulnerabilities Catalog. Reference CISA's BOD 22-01 and Known Exploited Vulnerabilities Catalog for further guidance and ... An official website of the United States government Here's how you know…
advisories/CVEs/CVE-2025-47813.txt at master - GitHub
Successful exploits can allow an an authenticated attacker to get the local server path of the application, which can help in exploiting vulnerabilities like CVE-2025-47812.
CVE-2025-47813 — Wing FTP Server Information Disclosure Vulnerability ...
loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie.
CISA flags Wing FTP Server flaw as actively exploited in attacks
Tracked as CVE-2025-47813, the security flaw allows threat actors with low privileges to discover the full local installation path of the application on unpatched servers.
CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths
CISA adds Wing FTP CVE-2025-47813 to KEV after active exploitation, exposing server paths and aiding attacks; patch by March 30, 2026.
🛡️ We added Wing FTP Server information disclosure ...
We added Wing FTP Server information disclosure vulnerability CVE-2025-47813 to our KEV Catalog. Visit go.dhs.gov/Z3Q for more information.