CISA added CVE-2025-47813, a Wing FTP Server information disclosure flaw, to its Known Exploited Vulnerabilities catalog on March 16, 2026, giving FCEB agencies two weeks to patch. The flaw enables low-privilege attackers to recover the application’s local installation path — a precursor step that researchers confirm can be chained with the previously confirmed RCE bug CVE-2025-47812 to achieve full system compromise. Organizations running Wing FTP Server v7.4.3 or earlier should treat this as an active threat requiring immediate remediation.
CVE-2025-47813 is not a standalone critical flaw — it is a reconnaissance enabler. By submitting an oversized UID cookie value, a low-privilege attacker triggers a verbose error message that reveals the server’s full local installation path. Security researcher Julien Ahrens, who discovered and reported all three Wing FTP vulnerabilities, confirmed this path disclosure directly supports exploitation of CVE-2025-47812, the critical RCE bug patched alongside it in Wing FTP Server v7.4.4 in May 2025. CVE-2025-47812 was already flagged as exploited in the wild within one day of its technical details becoming public — making this chain high-confidence, not theoretical. Proof-of-concept code for CVE-2025-47813 has been publicly available since June 2025. The third flaw in the same patch batch, CVE-2025-27889, allows credential theft via information disclosure. Together, all three can be combined into a multi-stage attack: steal credentials, discover the install path, then execute arbitrary code.
This Wing FTP KEV addition fits a broader pattern visible across the source articles: CISA is consistently adding vulnerabilities to KEV weeks or months after patches are available, confirming exploitation against organizations that delayed remediation. The Ivanti EPM case (CVE-2026-1603, BleepingComputer March 10, 2026) shows the same dynamic — Ivanti patched the authentication bypass one month before CISA’s KEV addition, yet over 700 internet-facing EPM instances remained exposed at time of reporting. The VMware Tools case (CVE-2025-41244, BleepingComputer October 30, 2025) is more severe: Chinese state-sponsored group UNC5174 had been exploiting that privilege escalation flaw since mid-October 2024, nearly a full year before CISA’s formal KEV listing. Across all three cases, the gap between patch availability and confirmed exploitation underscores that patch lag — not zero-day exposure — is the dominant risk factor.
The Wing FTP exposure surface is significant but bounded. The vendor claims over 10,000 customers globally, including named enterprise and government clients (U.S. Air Force, Sony, Airbus, Reuters, Sephora per BleepingComputer primary source). This is not a ubiquitous infrastructure component like VMware or Ivanti EPM, but it serves organizations that often handle sensitive file transfers — making credential theft and RCE especially damaging. File transfer software has been a recurring exploitation target; this pattern holds.
One notable gap across the sources: none provide specific indicators of compromise (IOCs), threat actor attribution, or details on observed post-exploitation activity for CVE-2025-47813. CISA’s advisory confirms active exploitation but does not describe who is exploiting it or what payloads have been deployed. This limits defensive hunting outside of patch verification. The contrast with the VMware/UNC5174 case is sharp — in that incident, threat actor identity, TTPs, and proof-of-concept details were all available. For Wing FTP, defenders are working with confirmed exploitation and a patch, but no behavioral intelligence on the attacker.
The two-week FCEB deadline under BOD 22-01 is the shortest patch window CISA applies. Private sector organizations should treat CISA’s explicit recommendation to patch immediately as operationally equivalent guidance. Any Wing FTP Server instance running below v7.4.4 should be considered compromised until verified otherwise, given that PoC code for the chain has been public since June 2025 and exploitation is now confirmed.
- Patch immediately: Upgrade Wing FTP Server to v7.4.4 or later. All three vulnerabilities (CVE-2025-47813, CVE-2025-47812, CVE-2025-27889) are addressed in that release. Instances running v7.4.3 or earlier with public PoC available since June 2025 should be treated as high-priority targets.
- CVE-2025-47813 enables a multi-stage attack chain: path disclosure (CVE-2025-47813) feeds RCE (CVE-2025-47812) and can be combined with credential theft (CVE-2025-27889). Treat all three as a single compound risk, not three separate low-severity issues.
- Patch lag is the consistent failure mode: across Wing FTP, Ivanti EPM (CVE-2026-1603), and VMware Tools (CVE-2025-41244), attackers are exploiting known, patched vulnerabilities against organizations that delayed updates — sometimes by nearly a year. Accelerate patch SLAs for internet-facing file transfer and endpoint management software.
- Hunt for exploitation indicators now: review Wing FTP Server logs for oversized UID cookie values in error responses, unexpected process spawns from the FTP service, and any newly created accounts or credential access events. No public IOCs are available from CISA as of March 16, 2026.
- If Wing FTP cannot be patched immediately, CISA’s guidance applies: apply compensating controls per vendor instructions, restrict internet-facing access, or discontinue use until patching is possible.
