Information Disclosure in Wing FTP Server (CVE‑2025‑47813) Added to CISA KEV Catalog
What It Is – A path‑disclosure flaw in Wing FTP Server ≤ 7.4.3 that reveals the full local installation directory when a crafted, overly‑long UID cookie is processed. The vulnerability (CVE‑2025‑47813) scores CVSS 4.3 (Low).
Exploitability – Publicly disclosed; no public PoC for remote code execution, but the bug is actively listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, indicating observed or anticipated exploitation in the wild.
Affected Products – Wing FTP Server versions prior to 7.4.4 (all OS variants).
TPRM Impact – Organizations that rely on Wing FTP Server for internal or partner file transfers may expose internal directory structures, facilitating subsequent attacks (e.g., path traversal, file inclusion). The flaw can propagate through supply‑chain relationships where the server is a third‑party service.
Recommended Actions –
- Upgrade to Wing FTP Server 7.4.4 or later immediately.
- If upgrade is not feasible, block or truncate UID cookies at the web‑application firewall.
- Conduct a configuration review to ensure the server is not exposed to untrusted networks.
- Verify compliance with CISA’s Binding Operational Directive 22‑01 (remediation deadline 30 Mar 2026).
Source: SecurityAffairs article