HomeIntelligenceBrief
VULNERABILITY BRIEF🟢 Low Vulnerability

Information Disclosure in Wing FTP Server (CVE‑2025‑47813) Added to CISA KEV Catalog

CISA has added CVE‑2025‑47813, an information‑disclosure flaw in Wing FTP Server ≤ 7.4.3, to its Known Exploited Vulnerabilities catalog. The bug leaks the server’s installation path via a crafted UID cookie, aiding reconnaissance and downstream attacks. Third‑party risk teams should prioritize patching or mitigating this vulnerability before the March 30 2026 federal deadline.

LiveThreat™ Intelligence · 📅 March 17, 2026· 📰 securityaffairs.com
🟢
Severity
Low
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
securityaffairs.com

Information Disclosure in Wing FTP Server (CVE‑2025‑47813) Added to CISA KEV Catalog

What It Is – A path‑disclosure flaw in Wing FTP Server ≤ 7.4.3 that reveals the full local installation directory when a crafted, overly‑long UID cookie is processed. The vulnerability (CVE‑2025‑47813) scores CVSS 4.3 (Low).

Exploitability – Publicly disclosed; no public PoC for remote code execution, but the bug is actively listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, indicating observed or anticipated exploitation in the wild.

Affected Products – Wing FTP Server versions prior to 7.4.4 (all OS variants).

TPRM Impact – Organizations that rely on Wing FTP Server for internal or partner file transfers may expose internal directory structures, facilitating subsequent attacks (e.g., path traversal, file inclusion). The flaw can propagate through supply‑chain relationships where the server is a third‑party service.

Recommended Actions

  • Upgrade to Wing FTP Server 7.4.4 or later immediately.
  • If upgrade is not feasible, block or truncate UID cookies at the web‑application firewall.
  • Conduct a configuration review to ensure the server is not exposed to untrusted networks.
  • Verify compliance with CISA’s Binding Operational Directive 22‑01 (remediation deadline 30 Mar 2026).

Source: SecurityAffairs article

📰 Original Source
https://securityaffairs.com/189530/security/u-s-cisa-adds-a-flaw-in-wing-ftp-server-to-its-known-exploited-vulnerabilities-catalog.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →