Key Takeaway
CVE-2025-47813 is an unauthenticated information disclosure vulnerability in Wing FTP Server that triggers verbose error messages containing sensitive data when an oversized UID cookie value is submitted. No authentication is required to exploit the flaw, making it accessible to any attacker with network reach to an affected instance. CISA has added this CVE to its Known Exploited Vulnerabilities catalog, with federal agencies required to patch by March 30, 2026.
CVE-2025-47813: Wing FTP Server Information Disclosure via UID Cookie
CVE ID: CVE-2025-47813 Affected Product: Wing FTP Server (all instances processing UID cookie values) Vendor: Wing FTP Software Vulnerability Class: Information Disclosure — CWE-209 (Generation of Error Message Containing Sensitive Information)
Vulnerability Overview
CVE-2025-47813 is an information disclosure vulnerability in Wing FTP Server. The flaw exists in how the server handles the UID cookie value during request processing. When an attacker submits a request containing an abnormally long UID cookie, the server generates an error response that exposes sensitive system or application-level details. No authentication is required to trigger this behavior.
The attack vector is network-accessible and unauthenticated, meaning any host with network reach to the Wing FTP Server interface can attempt exploitation. The attacker constructs an HTTP request with an oversized UID cookie value and submits it to the server. The resulting error message contains information that would not normally be surfaced to an unauthenticated user — potentially including internal paths, application state, configuration details, or environment data, depending on deployment specifics.
Technical Details
The root cause is insufficient input validation combined with verbose error handling. Wing FTP Server fails to sanitize or truncate the UID cookie before using it in an operation that, when it fails, returns a detailed error message to the client. This is a classic instance of CWE-209, where error output intended for debugging purposes reaches an unauthorized party.
Because the triggering condition is a simple oversized cookie value, exploitation requires minimal technical sophistication. No exploit chain, privilege escalation, or prior foothold is necessary. The attacker sends a single malformed request and parses the response.
A CVSS score has not been publicly confirmed at the time of this writing, but the unauthenticated network attack vector, low complexity, and absence of required privileges indicate meaningful exploitability. The primary impact falls under confidentiality — the flaw does not directly enable code execution or data modification.
Real-World Impact
Wing FTP Server is deployed across enterprise environments and managed service providers for file transfer operations. Organizations running Wing FTP Server on internet-facing infrastructure face the highest exposure. An attacker enumerating targets can use the error response data to fingerprint the environment, identify software versions, map internal directory structures, or gather details useful for follow-on attacks.
For organizations handling regulated data — financial records, healthcare information, or government files — even passive information leakage can constitute a compliance violation under frameworks such as HIPAA, PCI DSS, or FedRAMP.
CISA has added CVE-2025-47813 to its Known Exploited Vulnerabilities (KEV) catalog. Federal civilian executive branch (FCEB) agencies are required to remediate this vulnerability by March 30, 2026, under Binding Operational Directive 22-01. CISA's inclusion of this CVE in the KEV catalog indicates evidence of active exploitation in the wild.
Affected Versions
Organizations should cross-reference their installed Wing FTP Server version against the vendor's official advisory. All deployments should be treated as potentially affected until version-specific patch guidance is confirmed from Wing FTP Software.
Mitigation and Remediation
1. Apply vendor patches immediately. Check the Wing FTP Server official site and release notes for patches addressing CVE-2025-47813. Apply the update across all instances — production, staging, and any internet-facing deployments first.
2. Audit your Wing FTP Server inventory. Identify every Wing FTP Server instance running in your environment. Include cloud-hosted, on-premises, and managed service deployments. Shadow IT or undocumented FTP servers are a common blind spot.
3. Deploy WAF rules to block oversized cookie values.
If patching cannot happen immediately, configure your web application firewall or reverse proxy to reject requests where the UID cookie value exceeds a defined length threshold. This reduces the attack surface while patch deployment is in progress.
4. Restrict network access to Wing FTP Server interfaces. Where operationally feasible, limit access to Wing FTP Server management and transfer interfaces to known IP ranges. Remove public internet exposure for any instance that does not require it.
5. Monitor FTP and HTTP logs for exploitation attempts.
Search logs for repeated requests containing abnormally large UID cookie values. A spike in 4xx or 5xx error responses from a single source IP targeting FTP endpoints may indicate active reconnaissance using this vulnerability.
6. FCEB agencies must remediate by March 30, 2026. Federal agencies subject to BOD 22-01 have a hard remediation deadline. Document patching actions and retain evidence of compliance.
Summary Table
| Field | Detail | |---|---| | CVE ID | CVE-2025-47813 | | Vendor | Wing FTP Software | | Product | Wing FTP Server | | Vulnerability Type | Information Disclosure (CWE-209) | | Attack Vector | Network, Unauthenticated | | Authentication Required | None | | CISA KEV Listed | Yes | | Federal Patch Deadline | March 30, 2026 |
Original Source
CISA KEV
Related Articles
CVE Pending: Critical Vulnerability in Anthropic's Claude Code Discovered Days After Source Code Leak
Adversa AI discovered a critical vulnerability in Anthropic's Claude Code agentic coding assistant within days of Anthropic accidentally leaking the product's source code. Claude Code operates with elevated system privileges in developer environments, making exploitation potentially severe — including credential theft, CI/CD pipeline manipulation, and lateral movement. Organizations should audit deployments, rotate credentials, and apply patches immediately once Anthropic releases a fix.
CVE-2024-6387: OpenSSH regreSSHion RCE Flaw Exposes Millions of Linux Servers to Unauthenticated Root Access
CVE-2024-6387 (regreSSHion) is a signal handler race condition in OpenSSH sshd versions 8.5p1 through 9.7p1 that allows unauthenticated remote code execution as root. Discovered by Qualys, the flaw affects an estimated 700,000 publicly exposed servers. Administrators should upgrade to OpenSSH 9.8p1 immediately or set LoginGraceTime 0 as a temporary workaround.
Apple Expands DarkSword Exploit Kit Mitigations Across Device Fleet After State-Sponsored and Spyware Vendor Abuse
Apple has expanded mitigations against the DarkSword exploit kit to additional devices after the toolkit was used in operations by state-sponsored threat groups and commercial spyware vendors. The expansion follows Apple's standard model of phased protection rollouts across its device ecosystem. All Apple device owners should apply the latest OS updates immediately, and high-risk individuals should enable Lockdown Mode.
CVE-2026-20093: Critical Cisco IMC Authentication Bypass Carries CVSS 9.8
Cisco has patched CVE-2026-20093, a critical authentication bypass vulnerability in the Cisco Integrated Management Controller (IMC) with a CVSS score of 9.8. An unauthenticated remote attacker can exploit the flaw to bypass authentication and gain elevated privileges over affected hardware management interfaces. Administrators should apply Cisco's patch immediately and restrict IMC network access to isolated management VLANs.