KEV Alert: Wing FTP Server displays internal routes and is already exploited; updates to version 7.4.4 as soon as possible

The US cyber security agency CISA recently included in its catalogue of known and exploited vulnerabilities (KEV) a security failure that affects Wing FTP Server, a commercial FTP server widely used in business environments. The official alert, published on 16 March 2026, classifies the problem as of medium gravity and documents evidence of active exploitation, which requires rapid action, especially in critical environments. The notification of CISA includes references and recommendations for managers.

This is the vulnerability listed as CVE-2025-47813, a leaking weakness of information that allows you to reveal the server's installation route when specific conditions are given in the session. In simple terms, an authenticated attacker can force an error by manipulating the value of the "UID" session cookie so that the system returns an error message with the complete local server path. This seemingly harmless detail can become a very valuable data to channel more serious attacks. The public register of the CVE is available in the National Vulnerability Database for more technical data: CVE-2025-47813 in NVD.

The root of the problem was described by the researcher Julien Ahrens of CERs Security following a responsible disclosure process: the endpoint "/ loginok.html" does not correctly value abnormal lengths in the UID cookie, and when the value exceeds the maximum route size of the underlying operating system, an error is generated that exposes internal data. The concept test explosion is available in a public repository where the steps and the test carried out by the researcher are detailed: technical advisory services in GitHub. In addition, CERs Security published an analysis that contextualizes vulnerability within the package of corrections released by the supplier: analysis of CERs Security.

It is important to stress that the vulnerable version includes all previous editions up to 7.4.3. The manufacturer corrected the failure in version 7.4.4, distributed in May after communication with the researcher. The same update also addressed a different critical vulnerability, CVE-2025-47812, which allows remote code execution and has a maximum severity score; for this reason the joint update is particularly relevant. The official product page is available to check release versions and notes: Wing FTP Server - supplier's website.

Since July 2025, there have been signs of malicious activity taking advantage of these failures. Incident response reports indicate that attackers have used the chain of errors to download and run malicious Lua scripts, collect environment information and deploy remote management software parts or monitoring, regular steps in intrusion operations that seek persistence and lateral movement. Although the specific details of all incidents are not yet fully published, the combination of a leak of internal routes and a remote execution vulnerability in the same product is a pattern that increases operational risk.

For organizations and system managers the recommendation is clear: update to version 7.4.4 (or the latest version provided by the supplier) as soon as possible. CISA has also issued a specific instruction to US Federal Executive agencies. The United States (FCEB), setting 30 March 2026 as the deadline for implementing the necessary patches, as part of its priority mitigation policy against natural vulnerabilities. The KEV catalogue and its prioritization logic can be reviewed on the CISA website: CISA KEV catalogue.

If an immediate update is not possible in all cases, compensatory measures should be taken: restricting access to the administrative interface and server ports, filtering incoming traffic by white lists, auditing and tightening authentication policies, and monitoring signs of commitment in the records. It is also prudent to review file and process integrity in case of unauthorised agents or scripts. The combination of mitigation and patching significantly reduces the potential for effective exploitation.

From a broader perspective, this incident again recalls that the vulnerabilities that in principle seem "only" to be information disclosure should not be underestimated: knowing internal routes, file structures and configurations facilitates the location and exploitation of subsequent critical defects. In this particular case, the filtered information can be used as a step for attacks that, together, allow remote execution or prolonged persistence in value infrastructure.

If you manage Wing FTP servers check the supplier's notes and security notices, apply the published patches and monitor your systems. For additional reading and follow-up of technical reports you can see the sources mentioned: the CISA alert ( link), the analysis and dissemination of CERs Security ( Article) and the technical report published in GitHub ( PoC and details).