Information Disclosure in Wing FTP Server by Wing FTP Software
CVE-2025-47813

4.3MEDIUM

Key Information:

Vendor

Wftpserver

Status
Wing Ftp Server
Vendor
CVE Published:
10 July 2025

Badges

πŸ‘Ύ Exploit Exists🟣 EPSS 21%πŸ¦… CISA ReportedπŸ“° News Worthy

What is CVE-2025-47813?

A vulnerability in the loginok.html file of Wing FTP Server allows attackers to disclose the full local installation path of the application when a long value is provided in the UID cookie. This could potentially expose sensitive information that may assist adversaries in launching further attacks against the server. Users of affected versions should consider upgrading to version 7.4.4 or later to mitigate this risk.

CISA has reported CVE-2025-47813

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-47813 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Wing FTP Server 0 < 7.4.4

News Articles

favicon imageThe Hacker News

CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths

CISA adds Wing FTP CVE-2025-47813 to KEV after active exploitation, exposing server paths and aiding attacks; patch by March 30, 2026.

4 days ago

favicon imageBleepingComputer

CISA flags Wing FTP Server flaw as actively exploited in attacks

CISA warned U.S. government agencies to secure their Wing FTP Server instances against an actively exploited vulnerability that may be chained in remote code execution attacks.

4 days ago

References

https://www.wftpserver.com
https://www.rcesecurity.com/2025/06/what-the-null-wing-ft...
https://github.com/MrTuxracer/advisories/blob/master/CVEs...

EPSS Score

21% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ¦…

    CISA Reported

  • πŸ“°

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

JSON
.