Security alert CVE-2025-47813 at Wing FTP Server is being exploited in real attacks

The U.S. Agency for Cyber Security and Infrastructure (CISA) has raised the alert on a vulnerability in Wing FTP Server that is already being used in real attacks and can serve as a link in chains leading to remote code execution. This is a failure that, although it does not allow itself to run code, it does make it easier for an attacker with few privileges to obtain sensitive information from the server - such as the complete installation route - which may be the key to exploit other failures.

The failure has been recorded as CVE-2025-47813 and, according to the public technical description, the application generates error messages that include sensitive data when using a very long value in the UID cookie. This information leak can help attackers understand the structure of the system and build more powerful exploits that chain other vulnerabilities, including a criticism that allows remote code execution (CVE-2025-47812).

The Wing FTP Server developers solved these vulnerabilities in version 7.4.4 published in May 2025; the correction notice includes patches for both information disclosure and CSR vulnerability and another that allows to steal passwords (CVE-2025-27889). The manufacturer's note with the version history and the patch is available on your official website: Wing FTP Server - Server History.

The situation was complicated when researcher Julien Ahrens published concept test code for CVE-2025-47813 in June, which increased the risk by leaving any tools to reproduce the failure. The repository with the concept test can be found here: PoC in GitHub. In addition, the vulnerability of CERs (CVE-2025-47812) has been reported as being exploited in real environments only one day after technical details were disseminated, demonstrating the speed with which attackers adapt and use this information in practice. The technical fact sheets in the national vulnerability database provide more context: CVE-2025-47813, CVE-2025-47812 and CVE-2025-27889.

On March 16, 2026, CISA added CVE-2025-47813 to its catalogue of actively exploited vulnerabilities and ordered the civil federal agencies to remedy the failure within two weeks, as required by the BOD-01 of November 2021. Although the term obligation only affects US federal agencies, CISA itself urged private sector organizations and system managers in general to update or implement mitigation immediately. The vulnerability register is available in the CISA catalogue here: CVE-2025-47813 in the CISA catalogue.

Wing FTP Server is not a minor solution: developers indicate that their software is used by more than 10,000 customers worldwide, including large public and private sector actors. This facility base makes any exploitable vulnerability an attractive target for attackers seeking access to business or government networks. The official information of the manufacturer that mentions customers and product scope is available on your site: Wing FTP Server.

What does this mean for administrators and security officials? First, that the exposure window is reduced when there is public demonstrative code and exploitation in real environments; therefore, the time to react is limited. If your organization uses Wing FTP Server, the most urgent thing is to check the in-use version and update to the corrected edition (v7.4.4 or later). If for some reason you cannot apply the patch immediately, you have to assess implementing user-recommended mitigation, tightening access to service (for example, restricting connections to trusted IP addresses and limiting accounts with privileges), and considering temporary service disconnection until you are sure.

Exposure through errors that reveal local routes is less striking than a direct CERs, but not less dangerous: knowing the structure of the system, installation routes and sensitive files is usually the first step for attackers to assemble more complex exploits or steal credentials. This is why CISA insists on applying the corrections and, if there are no applicable mitigation, consider suspending the use of the product.

In addition to updating, it is recommended to review access and error records by looking for abnormal patterns that match operating attempts, audit accounts and credentials associated with the service - rotating passwords if there is a suspicion of commitment - and segment the network to prevent a possible intrusion into the FTP server from serving as a trampoline to other critical assets.

The vulnerabilities in file transfer components are a reminder that apparently discreet infrastructures can open significant attack vectors. The combination of public exposure of the explosion, the speed of exploitation in the real world and a broad base of facilities makes this incident a security priority for organisations that use Wing FTP Server or that depend on similar services.

To expand information and verify the technical situation, see official sources: the entry of vulnerability into NVD ( CVE-2025-47813), the notice and catalogue of CISA ( CISA - vulnerability catalogue), the history of Wing FTP Server ( Wing FTP Server - Server History) and the repository with the concept test published by the researcher ( PoC in GitHub).

If you need help to assess your exposure or prioritize mitigation actions, it is advisable to contact your security team or specialized suppliers; in incidents involving active exploitation, the rapid and coordinated response can make the difference between a failed intrusion attempt and a gap with serious consequences.