A recently discovered information disclosure vulnerability in Wing FTP Server (CVE-2025–47813) has been confirmed to be actively exploited in real-world attacks, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added it to the Known Exploited Vulnerabilities (KEV) catalog. Although this vulnerability is rated CVSS 4.3 (Medium), it poses risks beyond simple information leakage, as it can expose the server's local installation path. In particular, when combined with the remote code execution (RCE) vulnerability CVE-2025–47812 found in the same product, it may form part of a real-world attack chain, drawing significant attention from the security community.

Wing FTP Server is a cross-platform server software that supports FTP, SFTP, and HTTP-based file transfer, and is used by thousands of organizations worldwide. In such environments, internet-exposed file transfer servers can become initial entry points for attackers, and when vulnerabilities are combined with external exposure, the likelihood of real-world exploitation increases significantly.

This article analyzes the technical details and attack potential of CVE-2025–47813, and examines the exposure of Wing FTP services on the internet using Criminal IP data, providing security insights from an attack surface perspective.

Summary of the Wing FTP Server Vulnerability

CategoryDescriptionVulnerability IDCVE-2025–47813Affected ProductWing FTP ServerVulnerability TypeInformation DisclosureCVSS Score4.3 (Medium)Key ImpactExposure of local installation pathAffected Versions≤ 7.4.3Patched Version7.4.4

CVE-2025–47813 is caused by improper input validation in the web authentication process of Wing FTP Server. The vulnerability occurs at the /loginok.html endpoint, where an attacker can insert an excessively long string into the UID session cookie value. This triggers an error response from the server, which inadvertently exposes the full local installation path.

The attack flow is as follows:

  • The attacker sends a request containing an abnormally long UID cookie value
  • The server processes the input and exceeds the path length limit
  • An error message is generated
  • The error response includes the full local file system path of the application

While this vulnerability does not directly enable remote code execution, it can be used as a reconnaissance step, allowing attackers to gain insight into the server's file system structure and installation paths.

How It Can Be Chained with an RCE Vulnerability

Some security researchers have pointed out that CVE-2025–47813 may be combined with other vulnerabilities in the same product. Notably, Wing FTP Server also contains a remote code execution vulnerability (CVE-2025–47812, CVSS 10.0), which has already been observed in real-world exploitation.

In previous attacks, threat actors were reported to perform the following actions:

  • Downloading and executing malicious Lua scripts
  • Collecting system environment information
  • Installing remote management and monitoring tools
  • Conducting internal reconnaissance for further attacks

In this attack flow, the server path information obtained through CVE-2025–47813 can potentially be leveraged during the exploitation of the RCE vulnerability. In other words, an attacker may construct an attack chain in the following sequence: discovering Wing FTP servers on the internet, obtaining server path information via CVE-2025–47813, exploiting CVE-2025–47812, and ultimately executing malicious code to take control of the system.

This represents a typical case where the impact of an attack is significantly amplified not by a single vulnerability, but through a chain of vulnerabilities.

A Closer Look at Wing FTP Asset Exposure

Beyond the vulnerability itself, a critical factor is the number of internet-accessible vulnerable services. File transfer servers are often configured for external access to support operational convenience, which increases the likelihood of rapid scanning and exploitation attempts once a vulnerability is disclosed. To assess this, a search was conducted using Criminal IP Asset Search targeting Wing FTP services, in order to analyze the current exposure landscape.

None

Criminal IP Search Query: product: Wing FTP

Through this search, internet-exposed Wing FTP server instances can be identified. The query detects assets that are likely running Wing FTP Server based on service banners and identifiable characteristics.

Analysis of the Criminal IP Asset Search results confirmed that a significant number of Wing FTP services are externally exposed. These services are typically operated as FTP, SFTP, or web-based file transfer interfaces, and in some cases, management interfaces were observed to be directly exposed to the public internet.

A Deeper Look at Accessible Wing FTP Services

To identify Wing FTP services whose web interfaces actively return valid responses from external access, more refined search conditions were applied.

None

Criminal IP Search Query: product: Wing FTP AND status_code: 200

Using the query product: Wing FTP AND status_code: 200 in Criminal IP Asset Search allows filtering of Wing FTP services that return normal HTTP responses, effectively identifying web interfaces that are actually accessible.

Going beyond simple product identification, the, status_code: 200 filter helps narrow down services that actively return web pages to external requests. This means the focus is not on inactive assets or restricted-response environments, but rather on interfaces that attackers can immediately access via a browser or automated scanning tools. In such environments, attackers can gain deeper insights into the service configuration by analyzing login pages, response headers, static resources, and error handling behavior. For example, if a web interface is directly exposed, attackers may identify not only the product itself but also the presence of admin pages, authentication flows, exposed resource paths, and even clues that could help estimate the service version.

Attackers may infer vulnerable versions using methods such as:

  • Analyzing login pages and static resources
  • Inspecting server response headers
  • Estimating versions based on banner information

If a management interface is accessible from the internet, the potential impact of exploitation increases significantly.

Recommended Mitigation Approaches

Many organizations operate file transfer servers to exchange data between internal systems and external partners. For convenience, external access is often allowed. However, this can lead to issues such as exposure of test or temporary environments, unpatched legacy instances, and directly exposed management interfaces. These conditions create an attack surface that can be easily discovered through automated scanning.

Even if a vulnerability like CVE-2025–47813 has limited impact on its own, it can become part of an attack chain when combined with an RCE vulnerability. Therefore, response strategies should go beyond simple patching and include attack surface management practices such as identifying exposed assets and enforcing access controls.

Recommended actions:

  • Apply security updates immediately: upgrade to Wing FTP Server version 7.4.4 or later
  • Restrict external access: minimize exposure of management interfaces and web login pages
  • Audit exposed assets: use tools like Criminal IP Asset Search to identify publicly accessible Wing FTP services
  • Review logs for anomalies: check for abnormal UID cookie requests and related error logs

A layered defense strategy, not a single measure, is essential to proactively mitigate risks before exploitation occurs.

Conclusion

While CVE-2025–47813 may appear to be a simple information disclosure vulnerability, it can be leveraged as part of an attack chain in real-world scenarios when combined with RCE vulnerabilities. Internet-exposed file transfer servers are easy targets for attackers, and if vulnerable versions are in use, the likelihood of successful exploitation increases significantly. CISA's inclusion of this vulnerability in the KEV catalog indicates that it is not merely theoretical but actively exploited in real-world attacks.

Organizations should move beyond basic patching and adopt an Attack Surface Management (ASM)-based security strategy that continuously identifies and manages externally exposed services.

In relation to this, you can also refer to Exposed Google Cloud API Keys and the Expanding Attack Surface in AI API Environments