CISA Warns of Active Attacks Exploiting Wing FTP Server Flaw
▼ Summary
– CISA warned U.S. government agencies to urgently secure their Wing FTP Server instances against an actively exploited vulnerability (CVE-2025-47813).
– The vulnerability allows low-privilege attackers to discover the full local installation path of the application, which can leak sensitive information.
– This flaw can be chained with a critical remote code execution bug (CVE-2025-47812) that was previously exploited in the wild.
– Federal agencies have two weeks to patch under a binding directive, while all organizations are encouraged to apply mitigations immediately.
– The developer released a patch for these vulnerabilities in Wing FTP Server version 7.4.4 in May 2025.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding active attacks targeting a vulnerability in Wing FTP Server software. This flaw, which can reveal sensitive system information, is being exploited and could be combined with other vulnerabilities to enable remote code execution (RCE). Federal agencies have been directed to apply patches within two weeks, and all organizations using this software are strongly advised to take immediate action.
Wing FTP Server is a widely adopted file transfer solution supporting FTP, SFTP, and web-based transfers. Its user base spans over 10,000 global entities, including major corporations and government bodies like Sony, Airbus, and the U.S. Air Force. The specific vulnerability, identified as CVE-2025-47813, allows attackers with minimal permissions to uncover the complete local installation path on servers that have not been updated. According to CISA, the issue arises when the software processes an overly long value in a UID cookie, generating an error message that leaks this critical path information.
The software’s developer addressed this flaw in May 2025 with the release of Wing FTP Server version 7.4.4. This update also patched a separate, critical remote code execution bug tracked as CVE-2025-47812 and an information disclosure vulnerability, CVE-2025-27889, which could be used to steal user passwords. Notably, the RCE flaw was observed being actively exploited in the wild shortly after its technical details were publicly disclosed.
Security researcher Julien Ahrens, who discovered and reported these vulnerabilities, published proof-of-concept exploit code for CVE-2025-47813 in June. He noted that attackers could potentially chain this path disclosure flaw with the critical RCE vulnerability (CVE-2025-47812) to mount more severe attacks. In response to the active threat, CISA formally added CVE-2025-47813 to its Known Exploited Vulnerabilities catalog. This action triggers a mandate for Federal Civilian Executive Branch agencies to remediate the issue within a strict two-week deadline, under the authority of Binding Operational Directive (BOD) 22-01.
Although the binding directive applies specifically to federal agencies, CISA emphasizes that the risk extends far beyond the public sector. The agency strongly urges all organizations, including private companies, to prioritize patching their Wing FTP Server installations without delay. CISA has characterized this class of vulnerability as a common and dangerous attack vector for malicious cyber actors, posing substantial risk to any enterprise network.
The agency’s guidance is clear: administrators must apply the vendor-provided patches immediately. For cloud-based services, they should adhere to the relevant BOD 22-01 procedures. If patching is not feasible, the only secure alternative is to discontinue using the vulnerable product altogether to eliminate the associated risk.
(Source: Bleeping Computer)
