Exploited Wing FTP Server Vulnerability Targeted in Active Attacks, CISA Warns

CISA Warns of Actively Exploited Vulnerability in Wing FTP Server

Recently, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning to U.S. government agencies regarding the urgent need to secure their Wing FTP Server instances. This comes in response to a vulnerability that is actively being exploited and could potentially lead to remote code execution attacks.

Wing FTP Server is a popular cross-platform FTP server software that offers secure file transfer capabilities through its integrated SFTP and web servers. With over 10,000 customers globally, including prominent organizations like the U.S. Air Force, Sony, Airbus, Reuters, and Sephora, the software has become a crucial tool for many.

The identified security flaw, tracked as CVE-2025-47813, allows threat actors with low privileges to uncover the full local installation path of the application on servers that have not been patched.

As explained by CISA, “Wing FTP Server contains a generation of error message containing sensitive information vulnerability when using a long value in the UID cookie.”

The developer addressed this vulnerability in May 2025 with the release of Wing FTP Server v7.4.4, which also fixed a critical remote code execution bug (CVE-2025-47812) and an information disclosure flaw (CVE-2025-27889) that could potentially lead to password theft.

Notably, the RCE vulnerability was exploited in the wild shortly after its details were made public. Security researcher Julien Ahrens, who discovered and reported the vulnerabilities, shared proof-of-concept exploit code for CVE-2025-47813 in June, indicating that attackers could leverage it in conjunction with CVE-2025-47812.

After identifying the severity of the situation, CISA added CVE-2025-47813 to its list of actively exploited vulnerabilities and issued a directive to Federal Civilian Executive Branch (FCEB) agencies to secure their systems within two weeks, in compliance with Binding Operational Directive (BOD) 22-01.

While the directive primarily applies to federal agencies, CISA urged all defenders, including those in the private sector, to promptly patch their servers to mitigate ongoing threats.

In a statement, CISA emphasized the importance of addressing such vulnerabilities promptly, stating that they are a common target for malicious cyber actors and pose significant risks to organizations.

“Apply mitigations as per vendor instructions, adhere to applicable BOD 22-01 guidelines for cloud services, or consider discontinuing the use of the product if mitigations are not available,” CISA advised.