theinfosecnews
theinfosecnews
Subscribe to Daily Digest

CVE-2025-47813

CISA KEV

Published March 16, 2026 · Updated April 3, 2026

high

What This Means

# CVE-2025-47813 — Wing FTP Server Information Disclosure **What it is:** Wing FTP Server leaks sensitive information in error messages when processing oversized values in the UID cookie, allowing unauthenticated attackers to extract system details without credentials. **Impact:** An attacker can craft requests with malformed UID cookies to trigger verbose error responses, exposing internal paths, configuration details, or other system information useful for reconnaissance and follow-up attacks. **Action:** Update Wing FTP Server to the patched version immediately. Review FTP server logs for suspicious cookie patterns or error message requests. Implement input validation and error message filtering at the network layer if patching is delayed.

Official Description+

Wing FTP Server contains a generation of error message containing sensitive information vulnerability when using a long value in the UID cookie.

Affected Products

VendorProduct
Wing FTP ServerWing FTP Server

Patch Status

Patch by 2026-03-30

Recommended Actions

  1. Check if your systems use any of the affected products listed above.
  2. Apply vendor patches immediately if available.
  3. This vulnerability is in CISA's Known Exploited Vulnerabilities catalog — prioritize remediation.
  4. Monitor vendor advisories for updates and additional mitigations.
  5. Review logs for indicators of compromise related to CVE-2025-47813.

Related Coverage

Vvulnerability

CVE-2025-47813: Wing FTP Server Leaks Sensitive Data via Oversized UID Cookie

CVE-2025-47813 is an unauthenticated information disclosure vulnerability in Wing FTP Server that triggers verbose error messages containing sensitive data when an oversized UID cookie value is submitted. No authentication is required to exploit the flaw, making it accessible to any attacker with network reach to an affected instance. CISA has added this CVE to its Known Exploited Vulnerabilities catalog, with federal agencies required to patch by March 30, 2026.

CISA KEV·18d ago·3 min read