CISA Adds Wing FTP Server Flaw to KEV as RCE Chain Exploits Surge

CISA Flags Wing FTP Zero-Day Chain Now Being Exploited at Scale

CISA added CVE-2025-47813 to its Known Exploited Vulnerabilities (KEV) catalog on March 16, 2026, ordering U.S. government agencies to patch their Wing FTP Server deployments within two weeks.

The flaw — a seemingly routine medium-severity (CVSS 4.3) information disclosure vulnerability — is being exploited as the first step in a kill chain that ultimately delivers unauthenticated remote code execution via CVE-2025-47812 (CVSS 10.0 — Critical). Attackers exploiting both vulnerabilities together can compromise a Wing FTP Server host with SYSTEM or root privileges, no authentication required.

Attack Details

Attribute	Value
Primary CVE	CVE-2025-47813 (CVSS 4.3)
Chained CVE	CVE-2025-47812 (CVSS 10.0)
Affected software	Wing FTP Server ≤ 7.4.3
Fixed version	Wing FTP Server v7.4.4 (May 14, 2025)
KEV date	March 16, 2026
FCEB patch deadline	March 30, 2026
First exploitation	July 1, 2025
Exposed instances	~2,000+ internet-facing

How the Chain Works

CVE-2025-47813 exploits improper error handling in Wing FTP's /loginok.html endpoint. A low-privileged attacker submits an overlong UID cookie value, causing the server to return a verbose error message that includes the full local installation path (e.g., C:\Program Files\WingFTP\).

Armed with that path, the attacker moves to CVE-2025-47812: a null byte injection flaw in the authentication handler. By inserting a null byte (%00) into the username parameter, the server writes attacker-controlled Lua code into a session file at the now-known filesystem path. When the server loads that session, the Lua payload executes with SYSTEM/root privileges.

Researcher Julien Ahrens of RCE Security documented the complete chain in June 2025 and published a working proof-of-concept. The first observed exploitation followed just 24 hours later.

Who Is Being Targeted

Huntress confirmed active exploitation on customer systems, with attacks originating from multiple distinct IP addresses — suggesting multiple threat actors are exploiting the chain, not a single targeted campaign.

Wing FTP Server claims over 10,000 customers worldwide, including organizations in government, aerospace, and media. Approximately 2,000 instances are internet-facing. Observed post-exploitation behavior includes:

Creation of new local user accounts for persistence
Download and execution of malicious batch files
Deployment of ScreenConnect for persistent remote access

Impact Assessment

Impact Area	Description
Standalone risk	Low (path disclosure only)
Chained risk	Critical — full SYSTEM RCE without authentication
Exposure window	July 2025 to present — 8+ months of active exploitation
Persistence	ScreenConnect RAT; new local accounts
Sectors at risk	Any organization using Wing FTP for managed file transfer

Recommendations

Immediate Actions

Upgrade to Wing FTP Server v7.4.4 immediately — both CVEs are resolved in this release
Inventory all deployments — include dev, staging, and shadow IT instances that may run unmanaged versions
Restrict internet exposure — if external access isn't required, place Wing FTP behind a VPN or firewall
Hunt for ScreenConnect on Wing FTP hosts that wasn't deliberately installed

For Security Operations

Review authentication logs for POST requests to /loginok.html with oversized cookie values
Check for null byte patterns (%00) in Wing FTP username logs
Rotate credentials on any affected host as a precaution
Treat any compromise as a full incident — ScreenConnect deployment indicates adversary persistence intent

Key Takeaways

The CVSS score of 4.3 is misleading — this flaw's real-world danger is as the entry point for a CVSS 10.0 exploit chain
Patches have been available since May 14, 2025 — any unpatched organization has had 10 months to act
Exploitation continues at scale 8+ months after disclosure, indicating a large unpatched population
Multiple threat actors are involved — this is not a targeted campaign but broad opportunistic exploitation
CISA's KEV addition reinforces urgency — federal agencies have two weeks; private sector should treat this with equal priority

Sources

CISA Flags Wing FTP Zero-Day Chain Now Being Exploited at Scale

Attack Details

Attribute	Value
Primary CVE	CVE-2025-47813 (CVSS 4.3)
Chained CVE	CVE-2025-47812 (CVSS 10.0)
Affected software	Wing FTP Server ≤ 7.4.3
Fixed version	Wing FTP Server v7.4.4 (May 14, 2025)
KEV date	March 16, 2026
FCEB patch deadline	March 30, 2026
First exploitation	July 1, 2025
Exposed instances	~2,000+ internet-facing

How the Chain Works

Researcher Julien Ahrens of RCE Security documented the complete chain in June 2025 and published a working proof-of-concept. The first observed exploitation followed just 24 hours later.

Who Is Being Targeted

Creation of new local user accounts for persistence
Download and execution of malicious batch files
Deployment of ScreenConnect for persistent remote access

Impact Assessment

Impact Area	Description
Standalone risk	Low (path disclosure only)
Chained risk	Critical — full SYSTEM RCE without authentication
Exposure window	July 2025 to present — 8+ months of active exploitation
Persistence	ScreenConnect RAT; new local accounts
Sectors at risk	Any organization using Wing FTP for managed file transfer

Recommendations

Immediate Actions

Upgrade to Wing FTP Server v7.4.4 immediately — both CVEs are resolved in this release
Inventory all deployments — include dev, staging, and shadow IT instances that may run unmanaged versions
Restrict internet exposure — if external access isn't required, place Wing FTP behind a VPN or firewall
Hunt for ScreenConnect on Wing FTP hosts that wasn't deliberately installed

For Security Operations

Review authentication logs for POST requests to /loginok.html with oversized cookie values
Check for null byte patterns (%00) in Wing FTP username logs
Rotate credentials on any affected host as a precaution
Treat any compromise as a full incident — ScreenConnect deployment indicates adversary persistence intent

Key Takeaways

The CVSS score of 4.3 is misleading — this flaw's real-world danger is as the entry point for a CVSS 10.0 exploit chain
Patches have been available since May 14, 2025 — any unpatched organization has had 10 months to act
Exploitation continues at scale 8+ months after disclosure, indicating a large unpatched population
Multiple threat actors are involved — this is not a targeted campaign but broad opportunistic exploitation
CISA's KEV addition reinforces urgency — federal agencies have two weeks; private sector should treat this with equal priority

CISA Adds Wing FTP Server Flaw to KEV as RCE Chain Exploits Surge

CISA Flags Wing FTP Zero-Day Chain Now Being Exploited at Scale

Attack Details

How the Chain Works

Who Is Being Targeted

Impact Assessment

Recommendations

Immediate Actions

For Security Operations

Key Takeaways

Sources

PolyShell Attacks Target 56% of All Vulnerable Magento Stores

PTC Warns of Imminent Threat from Critical Windchill, FlexPLM RCE Bug

Oracle Pushes Emergency Fix for Critical Identity Manager RCE Flaw

CISA Adds Wing FTP Server Flaw to KEV as RCE Chain Exploits Surge

CISA Flags Wing FTP Zero-Day Chain Now Being Exploited at Scale

Attack Details

How the Chain Works

Who Is Being Targeted

Impact Assessment

Recommendations

Immediate Actions

For Security Operations

Key Takeaways

Sources

PolyShell Attacks Target 56% of All Vulnerable Magento Stores

PTC Warns of Imminent Threat from Critical Windchill, FlexPLM RCE Bug

Oracle Pushes Emergency Fix for Critical Identity Manager RCE Flaw