CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths

CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths Ravie LakshmananMar 17, 2026Vulnerability / Network Security The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a medium-severity security flaw impacting Wing FTP to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, CVE-2025-47813 (CVSS score: 4.3), is an information disclosure vulnerability that leaks the installation path of the application under certain conditions. "Wing FTP Server contains a generation of error messages containing sensitive information vulnerability when using a long value in the UID cookie," CISA said. The shortcoming affects all versions of the software prior to and including version 7.4.3. The issue was addressed in version 7.4.4, shipped in May following a responsible disclosure by RCE Security researcher Julien Ahrens. It's worth noting that version 7.4.4 also patches CVE-2025-47812 (CVSS score: 10.0), another critical bug in the same product that allows for remote code execution. As of July 2025, the vulnerability has come under active exploitation in the wild. According to details shared by Huntress at the time, attackers have leveraged it to download and execute malicious Lua files, conduct reconnaissance, and install remote monitoring and management software. Ahrens, in a proof-of-concept (PoC) exploit, shared on GitHub, noted that the endpoint at "/loginok.html" does not properly validate the value of the "UID" session cookie. As a result, if the supplied value is longer than the maximum path size of the underlying operating system, it triggers an error message that discloses the full local server path. "Successful exploits can allow an authenticated attacker to get the local server path of the application, which can help in exploiting vulnerabilities like CVE-2025-47812," the researcher added. There are currently no details on how the vulnerability is being exploited in the wild, and if it's being abused in conjunction with CVE-2025-47812. In light of the latest development, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply the necessary fixes by March 30, 2026. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  CISA, cybersecurity, Malware, network security, remote code execution, Threat Intelligence, Vulnerability Trending News ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Popular Resources 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Identity Controls Checklist: Find Missing Protections in Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths