CISA added CVE-2025-47813, an information disclosure flaw in Wing FTP Server, to its Known Exploited Vulnerabilities catalog on March 17, 2026, citing active exploitation. The flaw matters less for what it exposes directly and more for what it enables: it provides attackers with the local server path needed to reliably exploit CVE-2025-47812, a separately confirmed CVSS 10.0 remote code execution vulnerability in the same product. Organizations running Wing FTP Server versions 7.4.3 or earlier that have not yet patched face a compounded risk, with FCEB agencies under a March 30, 2026 remediation deadline.
The addition of CVE-2025-47813 to CISA’s KEV catalog requires context to interpret correctly. On its own, a CVSS 4.3 information disclosure flaw that reveals an application’s installation path is not a headline threat. Its significance is positional: it functions as a reconnaissance enabler for CVE-2025-47812, the critical RCE vulnerability in Wing FTP Server that has been under active exploitation since at least July 2025. Attackers who combine the two obtain the server path needed to accurately target the RCE — turning a medium-severity flaw into a force multiplier for a severity-10 attack chain. The PoC for CVE-2025-47813, published by RCE Security researcher Julien Ahrens, demonstrates that the /loginok.html endpoint fails to validate the length of the UID session cookie. When the supplied value exceeds the operating system’s maximum path length, the server generates an error message that includes the full local installation path. The flaw requires authentication, which constrains casual exploitation but does not eliminate risk from compromised credentials or insider threat scenarios.
The July 2025 exploitation activity around CVE-2025-47812 provides behavioral context that informs how the companion flaw is likely being used. Per Huntress reporting cited in The Hacker News, attackers exploiting the RCE downloaded and executed malicious Lua scripts, performed host reconnaissance, and installed remote monitoring and management (RMM) software — a post-exploitation pattern consistent with initial access brokers or ransomware precursor activity. Whether CVE-2025-47813 is being chained with CVE-2025-47812 in current campaigns is not confirmed, but the tactical logic is sound: an authenticated attacker who does not already know the installation path benefits from leaking it before attempting the RCE. CISA’s KEV addition, absent public chain confirmation, may reflect telemetry indicating the information disclosure flaw is being used in that supporting role.
The patch timeline introduces a gap worth acknowledging. Wing FTP Server 7.4.4 — which addresses both CVE-2025-47813 and CVE-2025-47812 — shipped in May 2025 following responsible disclosure. That means a complete fix has been available for approximately ten months. For any organization that patches CVEs based on severity score alone, the CVSS 4.3 rating on CVE-2025-47813 would have deprioritized it below the remediation threshold for many patch cycles. This is a concrete example of where severity-score-based prioritization fails: a medium-severity flaw that chains with a critical RCE warrants the same urgency as the critical flaw itself. Organizations should treat both CVEs as a single remediation unit.
From a detection and response standpoint, Wing FTP Server’s presence in an enterprise environment is the first question to answer. The product is not among the most widely deployed FTP servers in large enterprise environments, but it maintains a user base in small-to-medium businesses and specific verticals. Threat hunters should query asset inventories and network flow data for Wing FTP Server instances, confirm version numbers against the 7.4.4 baseline, and review authentication logs for anomalous UID cookie values on the /loginok.html endpoint. Indicators of post-exploitation include unexpected Lua script execution originating from the FTP server process, outbound connections to RMM infrastructure, and new user accounts or scheduled tasks created in the aftermath of FTP service activity. The FCEB March 30 deadline applies to federal civilian agencies, but the risk calculus for private sector organizations with unpatched instances is identical.
- Patch Wing FTP Server to version 7.4.4 immediately — it resolves both CVE-2025-47813 (CVSS 4.3, info disclosure) and CVE-2025-47812 (CVSS 10.0, RCE); treat them as a single remediation unit, not separate priority decisions.
- Do not score CVE-2025-47813 in isolation — its medium CVSS rating understates its risk because it provides the server path data needed to reliably exploit the companion RCE vulnerability; severity-only patch prioritization would have delayed this fix dangerously.
- Hunt for Wing FTP exploitation indicators now: review /loginok.html authentication logs for oversized UID cookie values, look for unexpected Lua script execution from the FTP server process, and check for RMM tool installation or new accounts following FTP service activity.
- FCEB agencies face a hard March 30, 2026 remediation deadline per CISA’s KEV directive; private sector organizations with Wing FTP instances should treat the same deadline as a practical benchmark regardless of regulatory obligation.
- The exploitation pattern observed by Huntress in July 2025 — Lua script execution, reconnaissance, RMM installation — is consistent with ransomware precursor or initial access broker activity; treat any confirmed Wing FTP compromise as a potential early-stage intrusion requiring full incident response, not just patch application.
