Wing FTP Server versions 7.4.3 and earlier are affected by a confirmed-exploited attack chain: CVE-2025-47813 (CISA KEV, CVSS 7.5) leaks server path information via a malformed UID cookie, which directly enables CVE-2025-47812 (CVSS 10.0), a pre-authentication RCE vulnerability. Active exploitation is confirmed and the CISA federal remediation deadline is March 30, 2026. All organizations running Wing FTP Server should treat this as an active critical incident: upgrade to version 7.4.4 or later immediately, isolate any instances that cannot be patched right away, and review FTP server logs for exploitation indicators.