CISA Adds CVE-2025-47813 to KEV: Patch Wing FTP Server Now

CISA’s decision to add CVE‑2025‑47813 — an information‑disclosure flaw in Wing FTP Server — to the Known Exploited Vulnerabilities (KEV) Catalog marks another reminder that even so‑called “low‑severity” bugs can be strategically valuable to attackers and deserve operational attention from enterprises and federal agencies alike. The agency’s update elevates the vulnerability from a vendor advisory to an operational priority, and organizations that run Wing FTP Server should treat this as a concrete signal: inventory, assess, and remediate now.

Background / Overview​

Wing FTP Server is a cross‑platform file transfer product used by organizations for managed FTP, SFTP and HTTP/S file distribution and automation. In mid‑2025 researchers identified a set of issues in the product, including a high‑impact remote code execution (RCE) bug (CVE‑2025‑47812) and several associated information‑disclosure issues. One of those information‑disclosure bugs, tracked as CVE‑2025‑47813, affects the loginok.html endpoint and can reveal the server’s full local installation path when a specially crafted, over‑long UID cookie value is submitted. This is classified as CWE‑209: Generation of Error Message Containing Sensitive Information, and the vulnerability is rated medium (CVSS v3.1 ≈ 4.3) by public trackers.
CISA’s KEV Catalog is an operational tool born from Binding Operational Directive (BOD) 22‑01; when the agency lists a CVE there it typically signals documented evidence of exploitation in the wild and triggers accelerated remediation expectations for Federal Civilian Executive Branch (FCEB) agencies. Although the KEV entry for this specific CVE is a recent addition, the underlying Wing FTP Server issues have been monitored and exploited by adversaries since July 2025 — most notably for the RCE flaws — which increases the risk that the associated information disclosure would be used as a reconnaissance / exploitation multiplier.

---

What CVE‑2025‑47813 actually is​

Technical summary​

• Affected software: Wing FTP Server versions prior to 7.4.4 (vendor release history confirms fixes across the 7.4.x line).
• Vulnerability type: Information disclosure via error message (CWE‑209).
• Trigger: sending an excessively long value in the UID cookie to loginok.html causes the server to disclose the full local installation path in the response.
• Impact: disclosure of filesystem layout and installation path (confidentiality loss). No direct integrity or availability impacts are documented for this CVE alone.
• Exploitability: network‑accessible (HTTP/S), low complexity — requires only sending a crafted HTTP request with a long cookie; typically no authentication or just low privileges required depending on configuration.
• Severity: Medium (CVSS v3.1 ≈ 4.3) in multiple vulnerability databases.

Why an information‑disclosure bug matters in practice​

A path disclosure might look trivial compared with RCE, but it is valuable to attackers for several reasons:

• It reduces reconnaissance friction: knowing a target’s install paths enables reliably targeting other local files, crafting path traversal exploits, or tailoring privilege escalation payloads.
• It aids chaining: when combined with other vulnerabilities (including local file inclusion, misconfigurations, weak file permissions or the RCEs already found in Wing FTP Server), path disclosure can significantly increase the speed and success rate of exploitation.
• It provides fingerprinting data: installation paths often reveal operating system, package structure, or the presence of third‑party components that might contain additional vulnerabilities.

Multiple threat‑intelligence teams and vulnerability trackers have observed scanning and opportunistic attempts against Wing FTP Server instances after public disclosures in mid‑2025; that context is what elevates a medium‑severity path disclosure into an operational concern when the KEV Catalog flags it.

---

The evidence behind CISA’s KEV action​

CISA adds items to the KEV Catalog when there is documented evidence of active exploitation. For the Wing FTP Server family of issues, the high‑visibility RCE (CVE‑2025‑47812) attracted initial exploitation observations in July 2025, and security vendors and telemetry networks tracked scanning and attempted attacks targeting related endpoints and session artifacts. Public vulnerability databases and vendor advisories list CVE‑2025‑47813 as a distinct information‑disclosure weakness tied to the same product family and fixed by the vendor in the 7.4.4 release cycle. Those independent records (NVD, vendor advisories aggregated by vulnerability databases and threat telemetry from CrowdSec/Wiz) corroborate the technical details and exploitation trends that underpin CISA’s operational designation.
Important verification note: automated retrieval of CISA’s March 16, 2026 alert may be blocked for some consuming tools at the time of writing, but the agency’s action is reflected in operational reporting and is consistent with the KEV process: a public advisory from CISA adding a single CVE to KEV, followed by vendor patches and public intelligence commentary. Where direct fetches of the CISA page failed during verification, we relied on NVD/CVE databases and multiple vendor/telemetry sources to validate the technical claims and exploitation context. Readers should, as always, consult CISA’s KEV Catalog entry directly for authoritative remediation deadlines and agency instructions.

---

Immediate implications for defenders​

For federal agencies (FCEB)​

• Inventory: Identify every instance of Wing FTP Server — both public‑facing and internal — and record versions and exposure (internet‑accessible vs internal).
• Prioritize: Treat any instance running a version earlier than 7.4.4 as high priority for patching or compensating controls.
• Remediate: Apply vendor updates from Wing FTP Server to move to 7.4.4+ where the fix is available.
• Mitigate if unable to patch: restrict network access, implement host or network‑level filtering to block connections to the admin/web interface, and monitor logs for requests to /loginok.html with unusually long UID cookie values.
• Reporting: Follow BOD 22‑01 timelines and report remediation status per agency directive.

CISA’s KEV designation converts what might otherwise be an item in a monthly patch queue into an operational task with a remediation clock — agencies must prioritize accordingly. The presence of an associated critical RCE in the same product family heightens the priority further.

For private‑sector organizations​

• If you run Wing FTP Server, treat this as a practical alert: patch immediately, especially on externally reachable hosts.
• Where patching is constrained (e.g., legacy appliances or embedded uses), apply compensating controls: network segmentation, access control lists, web application firewalls with rules to block or rate‑limit anomalous requests, and strict logging with alerts for suspicious cookie lengths or repeated 400/500 responses on loginok.html.
• Hunt for indicators: retrospective log analysis for unusual UID cookie activity can identify attempted reconnaissance that preceded more serious intrusion attempts.
• Assume chaining: defenders should assume attackers may use path disclosures to mount follow‑on attacks and plan detections accordingly (file system access anomalies, unexpected processes, web shell indicators).

---

Tactical detection and response guidance​

Detection rules to deploy quickly​

• Alert on HTTP requests to /loginok.html where the UID cookie length exceeds normal operational baselines (for example, > 512 bytes).
• Watch for repeated 4xx/5xx responses from the web interface correlated with anomalous cookie sizes — these can signal scanning and forced error generation.
• Monitor for web‑to‑OS anomalies on servers running Wing FTP (unexpected child processes, unusual binary execution, new scheduled tasks, outbound connections to suspicious IPs).
• Correlate network telemetry with vulnerability scanners and threat feeds to prioritize hosts with both KEV exposure and evidence of scanning.

Incident response priorities if you detect exploitation attempts​

• Isolate the host and preserve volatile logs (web server access logs, system logs, memory if RCE is suspected).
• Conduct a rapid scope assessment: enumerate inbound/outbound connections, child processes, and authorized users.
• Hunt for persistence mechanisms (crontabs, scheduled tasks, startup entries, new service binaries).
• If you cannot confirm compromise quickly, deploy containment: firewall rules to block web interface access, update credentials, rotate keys, and move to patched instances.
• Report to appropriate authorities and share indicators to peer networks where allowed.

These steps are intentionally pragmatic: an information‑disclosure finding often precedes intrusion, so speed in detection and containment is essential.

---

Vendor fixes, timelines, and practical mitigation options​

Wing FTP Server fixed CVE‑2025‑47813 in the 7.4.4 release cycle; system owners should verify patch levels against vendor release notes. If immediate patching is not feasible, defenders should combine:

• Network segmentation: place management interfaces behind VPNs or jump hosts.
• Access restrictions: allow only whitelisted administrative IPs to access the web UI.
• WAF rules: block unusually long cookie values and known attack patterns against the loginok.html endpoint.
• Application hardening: disable anonymous FTP if not needed; reduce privileges of the service account running Wing FTP Server to limit post‑exploit impact.
• Monitoring & logging: centralize logs with alert thresholds tuned to anomalous cookie sizes and repeated error responses.

A layered approach — patching where available, blocking at the network edge, and hunting with telemetry — both reduces attack surface and buys time for controlled patching cycles.

---

Wider risk picture: why “medium” CVEs keep showing up on KEV​

The KEV Catalog does not list only the highest CVSS scores; it lists vulnerabilities for which there is evidence of exploitation. That operational lens explains why a medium‑severity information disclosure like CVE‑2025‑47813 can be flagged: exploitation telemetry, exploit code availability, and pairing with more severe flaws (e.g., the Wing FTP RCE chain) make such bugs operationally significant.
Two broader trends make these additions especially important:

• Adversaries increasingly weaponize chains of small flaws to move laterally or escalate privileges rather than rely on single zero‑day RCEs.
• Public disclosure timelines and PoC releases accelerate exploitation — many recent KEV additions track a pattern where scanning and real‑world attacks follow public technical disclosures within days. Defenders must therefore treat any public vulnerability in an internet‑reachable service with urgency.

---

Strengths and limitations of the public record​

What’s solid​

• Multiple independent vulnerability databases (NVD, Wiz, CVE aggregators) document the technical details of CVE‑2025‑47813 and its remediation in Wing FTP Server 7.4.4. Those records include CWE mapping (CWE‑209) and consistent technical descriptions of the issue.
• Threat telemetry services and community trackers recorded scanning and exploitation activity targeting Wing FTP endpoints in mid‑2025; that historical evidence underpinned CISA’s broader KEV actions for the Wing FTP product family earlier in 2025.

What requires caution​

• Direct automated retrieval of the specific CISA alert dated March 16, 2026 encountered access limitations during verification; while CISA’s KEV entries are authoritative, remote fetches may be blocked by tooling. When that happens we corroborated the action using CVE/NVD entries and independent telemetry. Readers should consult the official KEV Catalog entry for final remediation deadlines and agency guidance.
• Public reporting can sometimes conflate multiple adjacent CVEs in the same product family (for example CVE‑2025‑47812 vs CVE‑2025‑47813). Always verify the exact CVE number and the fixed version before taking operational action.

---

Recommendations (operational checklist)​

• Inventory: produce an authoritative list of all Wing FTP Server instances (host, IP, FQDN, version). Include both on‑premises and cloud VM images.
• Patch: apply Wing FTP Server 7.4.4 or later immediately to hosts running affected versions.
• Isolate: until patched, restrict administrative/web UI access to a small set of trusted IPs and move interfaces behind an authenticated VPN.
• Harden: remove anonymous FTP accounts where not required and run the service under a least‑privilege account.
• Monitor: implement detection rules for abnormal UID cookie lengths against loginok.html and alert on repeated error responses.
• Hunt & respond: search historic logs for suspicious requests and, if present, perform an incident response to detect any follow‑on compromise.
• Report: comply with any KEV remediation timelines applicable to your organization; federal agencies should follow BOD 22‑01 reporting and remediation processes.

---

Final analysis — balancing urgency with context​

Adding CVE‑2025‑47813 to CISA’s KEV Catalog is a pragmatic, operations‑driven choice. The vulnerability itself is modest by CVSS metrics, but the surrounding facts — concurrent RCEs in the same product family, public PoCs and active scanning — create real operational risk. For defenders, the right approach is not panic‑driven emergency changes that break systems, but focused, evidence‑based action: identify exposed assets, apply the vendor‑provided fixes, and close the reconnaissance window that path disclosures provide.
The KEV designation should be read as an operational prioritization signal, not a binary "disaster" label. It is a reminder that attackers build success through recon, chaining, and opportunistic exploitation. Organizations that treat the signal as intended — a directive to inventory, patch, and monitor — will reduce their odds of being the next compromise in an exploit chain.

---

Conclusion​

CVE‑2025‑47813 is a textbook example of how information disclosure vulnerabilities can serve as force multipliers for determined attackers and why CISA’s KEV Catalog exists: to convert exploitation evidence into operational remediation priorities. Whether you manage a federal network or a small enterprise that uses Wing FTP Server, the practical steps are the same today as they will always be in these situations: find the affected installs, apply the vendor update to 7.4.4 or later, harden access to management interfaces, and monitor for signs of reconnaissance or exploitation. The risk can be controlled — but only if defenders act deliberately and quickly.

---

Source: CISA CISA Adds One Known Exploited Vulnerability to Catalog | CISA