CISA warned U.S. government agencies to secure Wing FTP Server instances after an actively exploited information-disclosure flaw (CVE-2025-47813) that can be chained with a critical RCE bug to enable remote code execution. The vendor released Wing FTP Server v7.4.4 in May 2025 to patch CVE-2025-47813 alongside CVE-2025-47812 and CVE-2025-27889, proof-of-concept code was published, and FCEB agencies have two weeks under BOD 22-01 to remediate. #WingFTPServer #CVE-2025-47813
Keypoints
- CVE-2025-47813 allows low-privileged actors to discover the full local installation path via an error message tied to a long UID cookie.
- The developer patched the vulnerability in Wing FTP Server v7.4.4 alongside a critical RCE (CVE-2025-47812) and a password disclosure bug (CVE-2025-27889).
- Attackers began exploiting the RCE in the wild shortly after technical details were published, and a PoC for CVE-2025-47813 was released by researcher Julien Ahrens.
- CISA added CVE-2025-47813 to its actively exploited vulnerabilities catalog and directed FCEB agencies to secure affected systems within two weeks per BOD 22-01.
- All organizations are urged to apply vendor mitigations, follow guidance for cloud services, or discontinue use if fixes are unavailable.