CISA warned U.S. government agencies to secure their Wing FTP Server instances against an actively exploited vulnerability that may be chained in remote code execution attacks.
Wing FTP Server is a cross-platform FTP server software that also provides secure file transfer via its built-in SFTP and web servers. The developers claim that their file transfer software is used by more than 10,000 customers worldwide, including the U.S. Air Force, Sony, Airbus, Reuters, and Sephora.
Tracked as CVE-2025-47813, the security flaw allows threat actors with low privileges to discover the full local installation path of the application on unpatched servers.
“Wing FTP Server contains a generation of error message containing sensitive information vulnerability when using a long value in the UID cookie,” CISA explains.
The developer patched it in May 2025 in Wing FTP Server v7.4.4, together with a critical remote code execution (RCE) bug (CVE-2025-47812) and an information disclosure flaw (CVE-2025-27889) that can be used to steal a user’s password.
The RCE vulnerability was previously tagged as exploited in the wild after attackers began abusing it one day after technical details on the flaw became public.
Security researcher Julien Ahrens, who discovered and reported the flaws, also shared proof-of-concept exploit code for CVE-2025-47813 in June and said attackers may exploit it as part of the same chain as CVE-2025-47812.
On Tuesday, CISA added CVE-2025-47813 to its catalog of actively exploited vulnerabilities and gave Federal Civilian Executive Branch (FCEB) agencies two weeks to secure their systems, as mandated by the November 2021 Binding Operational Directive (BOD) 22-01.
While BOD 22-01 targets only federal agencies, the U.S. cybersecurity agency encouraged all defenders, including those in the private sector, to patch their servers against ongoing attacks as soon as possible.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA warned on Monday.
“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.