A Wing FTP Server vulnerability is now confirmed as actively exploited in real-world attacks, and U.S. federal agencies have been ordered to patch their systems within two weeks. CISA added CVE-2025-47813, an information disclosure flaw in Wing FTP Server versions prior to 7.4.4, to its Known Exploited Vulnerabilities (KEV) catalog on March 16, 2026, triggering mandatory remediation for the Federal Civilian Executive Branch by March 30, 2026. This marks a critical escalation for organizations running the file transfer software, particularly those in government, defense, and critical infrastructure sectors.
Key Takeaways
- CVE-2025-47813 is an information disclosure flaw (CVSS 4.3) that leaks the full local installation path of Wing FTP Server via a long UID cookie value
- Attackers chain this flaw with CVE-2025-47812 (CVSS 10.0 remote code execution) to gain full server control
- Active exploitation began July 1, 2025, with attackers downloading malicious Lua files and installing remote management tools
- Wing FTP Server 7.4.4, released May 2025, patches all three known vulnerabilities in the product
- CISA mandates federal agencies patch by March 30, 2026, under BOD 22-01 compliance requirements
Why Wing FTP Server Vulnerability Matters Now
The Wing FTP Server vulnerability represents a textbook example of vulnerability chaining—a low-severity flaw becomes dangerous when paired with a critical one. CVE-2025-47813 alone would be nuisance-level information disclosure, but when attackers combine it with CVE-2025-47812, a remote code execution flaw with a maximum CVSS score of 10.0, the attack surface becomes catastrophic. An attacker with no credentials can exploit the RCE vulnerability via a null byte injection in the username field, then use the path disclosure from CVE-2025-47813 to refine their post-exploitation payload.
The timing of CISA’s KEV addition is significant because this vulnerability has been in the wild for over eight months. Huntress observed attackers exploiting this exact chain as early as July 1, 2025—just one day after CVE-2025-47812 was publicly disclosed. The attackers were observed downloading malicious Lua files, conducting reconnaissance, and installing remote management tools on compromised servers. At that time, approximately 5,000 internet-exposed Wing FTP Server instances were vulnerable. CISA’s official confirmation now forces organizations to acknowledge the threat and act before the March 30 deadline.
Attack Chain and Technical Details
Understanding how these vulnerabilities work together is essential for defenders. CVE-2025-47813 triggers when an attacker sends an HTTP request to the loginok.html page with an oversized UID cookie value. The server generates an error message that inadvertently reveals the full local installation path of Wing FTP Server—information that reconnaissance tools typically extract from verbose error pages. This path disclosure alone is not exploitable, but it gives attackers precise targeting data for the second vulnerability.
CVE-2025-47812, the companion RCE flaw, allows unauthenticated attackers to inject a null byte into the username field during FTP login. The null byte bypasses input validation, allowing arbitrary code execution. With the installation path already leaked from CVE-2025-47813, attackers can craft payloads that target specific directories and binaries within the Wing FTP Server installation. Researcher Julien Ahrens of RCE Security discovered both vulnerabilities and responsibly disclosed them to the vendor, with proof-of-concept exploits later shared on GitHub in summer 2025.
Who Is Running Wing FTP Server
Wing FTP Server is not niche software. The vendor claims over 10,000 customers globally, including the U.S. Air Force, Sony, Airbus, Reuters, and Sephora. The software runs on multiple operating systems and supports multiple protocols—FTP, FTPS, HTTP/S, and SFTP—making it a common choice for organizations needing secure cross-platform file transfer. This broad customer base means the vulnerability affects not just government agencies but also major corporations in aerospace, media, and retail.
Federal agencies are under immediate pressure because CISA’s BOD 22-01 mandate requires patching of known exploited vulnerabilities within 30 days of their addition to the KEV catalog. Organizations running Wing FTP Server outside the federal space have no formal deadline, but the active exploitation history makes delay risky. The vulnerability was disclosed responsibly in 2025, patched in May 2025 with the release of version 7.4.4, yet attackers have been actively exploiting it for months.
Mitigation and Patching
The remediation path is straightforward: upgrade to Wing FTP Server version 7.4.4 or later. This single patch addresses not only CVE-2025-47813 but also CVE-2025-47812 (the RCE flaw) and CVE-2025-27889 (a third information disclosure vulnerability in the same product). CISA’s official guidance mirrors this approach, recommending organizations apply vendor mitigations per instructions, follow BOD 22-01 cloud service guidance if applicable, or discontinue the product if patches are unavailable.
For organizations unable to patch immediately, network segmentation is a temporary control. Restricting access to Wing FTP Server to trusted networks only and disabling unnecessary protocols (especially anonymous FTP, which allows the RCE exploit without credentials) can reduce exposure. However, these are stopgaps, not solutions. The March 30 deadline for federal agencies is firm, and private organizations should treat it as an industry benchmark for urgency.
Is patching Wing FTP Server to 7.4.4 mandatory for all organizations?
Patching is mandatory for Federal Civilian Executive Branch agencies by March 30, 2026, per BOD 22-01. Private organizations and non-federal entities have no legal mandate, but given the active exploitation history and the severity of the RCE component, patching should be treated as critical rather than optional. Delaying creates unnecessary risk.
Can CVE-2025-47813 be exploited without CVE-2025-47812?
CVE-2025-47813 alone allows information disclosure—leaking the server installation path—but does not grant code execution. However, attackers use this path information to refine exploits for CVE-2025-47812, the critical RCE flaw. The vulnerability is most dangerous when chained; in isolation, it is reconnaissance-level risk.
What happens if an organization does not patch by March 30?
Federal agencies face compliance violations and potential sanctions under BOD 22-01. Private organizations risk operational compromise, data theft, and ransomware deployment, as attackers have demonstrated active exploitation for over eight months. The March 30 deadline for federal agencies sets a clear industry expectation; organizations should not wait until then to act.
The Wing FTP Server vulnerability demonstrates why vulnerability chaining and rapid patch deployment matter. A low-severity flaw becomes critical when paired with a remote code execution vulnerability, and active exploitation confirms the threat is real. Federal agencies have a hard deadline; everyone else should treat March 30 as a wake-up call, not a deadline. Upgrade to version 7.4.4 now, verify your installation is no longer exposed, and ensure your monitoring tools catch any suspicious activity targeting Wing FTP Server. Waiting invites compromise.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
