Medium-Severity Flaw Used to Unlock Critical RCE
CISA added CVE-2025-47813 to its Known Exploited Vulnerabilities (KEV) catalog on March 16, 2026, flagging the flaw as actively exploited in attacks targeting Wing FTP Server deployments worldwide.
Although the vulnerability carries only a CVSS v3.1 score of 4.3 (Medium), its operational significance is far greater: it is the reconnaissance enabler for CVE-2025-47812 (CVSS 10.0 — Critical), a pre-authenticated remote code execution flaw in the same software. Attackers use CVE-2025-47813 to leak the server's installation path, then craft a precise payload for CVE-2025-47812 to achieve unauthenticated RCE with SYSTEM/root privileges.
Federal Civilian Executive Branch (FCEB) agencies must patch by March 30, 2026.
Vulnerability Details
| Detail | Value |
|---|---|
| CVE | CVE-2025-47813 |
| CVSS v3.1 | 4.3 (Medium) |
| CVSS v4.0 | 5.3 (Medium) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| Type | Information Disclosure — Error Message Contains Sensitive Data |
| Attack Vector | Network — requires low-privilege authentication |
| Affected Versions | Wing FTP Server ≤ 7.4.3 |
| Fixed Version | Wing FTP Server v7.4.4 (May 14, 2025) |
| KEV Added | March 16, 2026 |
| FCEB Patch Deadline | March 30, 2026 |
| Discovered By | Julien Ahrens, RCE Security |
How the Vulnerability Works
The flaw resides in Wing FTP Server's post-authentication handler at /loginok.html. When a POST request is sent to that endpoint with an excessively long value in the UID cookie, the server fails to handle the input gracefully and returns a verbose error message that includes the full local filesystem installation path (e.g., C:\Program Files\WingFTP\...).
The root cause is improper error handling — the server exposes internal path information instead of returning a sanitized error response.
The Two-Step Kill Chain
CVE-2025-47813 is not dangerous in isolation, but serves as the first step in an attacker-documented chain:
| Step | CVE | CVSS | Action |
|---|---|---|---|
| 1 — Recon | CVE-2025-47813 | 4.3 | Send overlong UID cookie to leak server installation path |
| 2 — RCE | CVE-2025-47812 | 10.0 | Inject null byte + Lua code into username field; server writes attacker Lua code to a session file at the now-known path; session load triggers execution as SYSTEM |
Researcher Julien Ahrens documented the full chain in a June 2025 write-up, publishing a working proof-of-concept. Active exploitation began July 1, 2025 — just one day after publication.
Active Exploitation Details
Huntress confirmed real-world exploitation on a customer system, with attacks originating from multiple distinct IP addresses simultaneously. Post-exploitation behavior observed in the wild includes:
- Immediate post-compromise reconnaissance
- Creation of new local user accounts for persistence
- Download and execution of malicious batch files
- Deployment of ScreenConnect (remote monitoring tool) for persistent access
Wing FTP Server has over 10,000 customers worldwide, including US Air Force, Sony, Airbus, Reuters, and Sephora. Approximately 2,000+ internet-facing instances were identified at time of exploitation reports.
Remediation
Patching (Required)
Upgrade to Wing FTP Server v7.4.4 or later, which patches CVE-2025-47813, CVE-2025-47812, and CVE-2025-27889. The patch was released May 14, 2025.
If Patching Is Not Immediately Possible
Per CISA's BOD 22-01 guidance: if mitigations cannot be applied, discontinue use of Wing FTP Server until patching is feasible.
Federal Agencies
FCEB agencies must remediate by March 30, 2026 per CISA's KEV requirements.
Impact Assessment
| Impact Area | Description |
|---|---|
| Standalone risk | Low — leaks only the installation path |
| Chained risk | Critical — enables unauthenticated SYSTEM RCE via CVE-2025-47812 |
| Exposure | ~2,000+ internet-facing Wing FTP instances; 10,000+ total customers |
| First exploitation | July 1, 2025, one day after PoC publication |
| Sectors at risk | Any organization using Wing FTP Server for managed file transfer |
| Persistence methods observed | New local accounts, ScreenConnect RAT deployment |
Recommendations
For System Administrators
- Upgrade to Wing FTP Server v7.4.4 immediately — both CVEs are patched in this release
- Inventory all Wing FTP Server instances — include shadow IT deployments that may not appear in official asset lists
- Restrict internet-facing exposure — place Wing FTP behind a VPN or firewall if external access is not required
- Review recently created local accounts on Wing FTP hosts for signs of post-exploitation persistence
For Security Teams
- Hunt for ScreenConnect installations on Wing FTP Server hosts that weren't explicitly authorized
- Review Wing FTP authentication logs for unusual POST requests to
/loginok.htmlwith large cookie values - Scan for CVE-2025-47812 and CVE-2025-47813 together — treat both as a single critical-priority remediation item
- Monitor for null byte patterns in Wing FTP authentication logs (
%00in username fields)
Key Takeaways
- CVE-2025-47813 is the recon step in a CVSS 10.0 kill chain — its Medium rating understates real-world risk when CVE-2025-47812 is also unpatched
- Exploitation began July 1, 2025 — organizations still running Wing FTP ≤ 7.4.3 have been at risk for months
- CISA's KEV addition on March 16, 2026 signals continued active exploitation 8+ months after initial disclosure
- The patch (v7.4.4) has been available since May 14, 2025 — any organization running an older version is operating a known-exploited system
- Post-exploitation includes ScreenConnect RAT deployment — treat any compromise as a full incident response event, not just a patching exercise
Sources
- CISA Known Exploited Vulnerabilities Catalog
- BleepingComputer — CISA flags Wing FTP Server flaw as actively exploited in attacks
- RCE Security — CVE-2025-47813 Advisory (Julien Ahrens)
- RCE Security — CVE-2025-47812: What the NULL?! Pre-Auth Wing FTP Server RCE
- Huntress — Wing FTP Server RCE Exploited in the Wild
- NVD — CVE-2025-47813
- NVD — CVE-2025-47812