This Wing FTP Server flaw is being actively exploited in attacks – CISA says mitigate now

News
By published

CISA adds a new vulnerability to KEV

Hands on a laptop with overlaid logos representing network security
(Image credit: Thapana Onphalai via Getty Images)
  • CISA adds Wing FTP Server bug (CVE-2025-47813) to KEV catalog
  • Medium-severity flaw leaks server paths, exploited in chained attacks
  • Federal agencies ordered to patch by March 30 or discontinue use

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a new bug to its Known Exploited Vulnerabilities (KEV) catalog, warning US federal agencies about ongoing attacks and urging them to patch up immediately.

The organization added CVE-2025-47813, a bug found in Wing FTP Server, to KEV.

Wing FTP Server is a cross-platform file transfer server used to securely share and manage files, similar to MOVEit or GoAnywhere Managed File Transfer (MFT) solutions. According to its website, it is used by the likes of US AirForce, Airbus, Reuters, and Sony.

Article continues below

Proof of concept

The bug is described as an “information disclosure vulnerability” that can expose sensitive data in error messages. It happens because the application improperly handles a long UID cookie value, triggering an error message that reveals the server’s full local installation path.

It was given a severity score of 4.3/10 (medium). So, it’s not the most critical of all bugs, but it can be used for reconnaissance and chained with other bugs to launch more serious attacks. In fact, this is exactly what is happening in the wild, right now.

According to BleepingComputer, security researcher Julien Ahrens shared proof-of-concept (PoC) exploit code in summer 2025, stressing that the attackers were chaining it with a separate bug, tracked as CVE-2025-47812.

The bug affects all Wing FTP Server versions before 7.4.4 and was patched in May 2025. The same fix addressed two additional bugs - a critical remote code execution (RCE) vulnerability tracked as CVE-2025-57812, and an information disclosure flaw tracked as CVE-2025-27889.

Now, Federal Civilian Executive Branch (FCEB) agencies have a two-week deadline to patch the software, which expires on March 30. Alternatively, they can stop using the product altogether.

"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," CISA said. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.