CVE-2025-47813
published 2025-07-10CVE-2025-47813: loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie.
PriorityP269medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-03-30
Exploited in the wild
EPSS
56.37%
98.9th percentile
loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wftpserver | wing_ftp_server | < 7.4.4 | 7.4.4 |
Detection & IOCsextracted from sources · hover to see the quote
path/loginok.html
cookieUID=<2048+ chars>
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wing FTP Server Information Disclosure Attempt (CVE-2025-47813)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:13; content:"/loginok.html"; fast_pattern; http.cookie; bsize:>100; content:"UID|3d|"; startswith; http.request_body; content:"username|3d|"; content:"password|3d|"; reference:url,github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-47813.txt; reference:cve,2025-47813; classtype:attempted-admin; sid:2068290; rev:1; metadata:affected_product Wing_FTP, attack_target Server, tls_state TLSDecrypt, created_at 2026_03_17, cve CVE_2025_47813, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2026_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Detect POST requests to /loginok.html with a UID cookie value exceeding 100 bytes — the core trigger for the path disclosure error response.
- →Use Shodan/FOFA/ZoomEye fingerprints to identify exposed Wing FTP Server instances: favicon hash 963565804, HTML hash 2121146066, title 'Wing FTP Server', or Server header 'Wing FTP Server'.
- →Monitor the Wing FTP Server session directory for suspicious new .lua file additions as a post-exploitation indicator of CVE-2025-47812 follow-on activity. ↗
- ·The Nuclei template is marked 'verified: false', meaning the detection logic has not been confirmed against a live vulnerable instance.
- ·The Snort/ET rule requires TLS decryption to be effective against HTTPS-protected Wing FTP web portal traffic (metadata: tls_state TLSDecrypt, deployment SSLDecrypt).
- ·CVE-2025-47813 requires an authenticated (low-privilege) session; unauthenticated exploitation is not directly possible for this specific path-disclosure flaw, though it is chained with the unauthenticated RCE CVE-2025-47812.
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vulncheck4.3MEDIUM
cisa4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2vvg-j984-hh8p: loginok
ghsa_unreviewed·2025-07-10
CVE-2025-47813 [MEDIUM] CWE-209 GHSA-2vvg-j984-hh8p: loginok
loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie.
VulnCheck
Wing FTP Server Information Disclosure Vulnerability
vulncheck·2025·CVSS 4.3
CVE-2025-47813 [MEDIUM] CWE-209 Wing FTP Server Information Disclosure Vulnerability
Wing FTP Server Information Disclosure Vulnerability
Wing FTP Server contains a generation of error message containing sensitive information vulnerability when using a long value in the UID cookie.
Affected: Wing FTP Server Wing FTP Server
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2026-03-30
CISA
Wing FTP Server Information Disclosure Vulnerability
cisa·2026-03-16·CVSS 4.3
CVE-2025-47813 [MEDIUM] CWE-209 Wing FTP Server Information Disclosure Vulnerability
Vulnerability: Wing FTP Server Information Disclosure Vulnerability
Affected: Wing FTP Server Wing FTP Server
Wing FTP Server contains a generation of error message containing sensitive information vulnerability when using a long value in the UID cookie.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.wftpserver.com/serverhistory.htm ; https://nvd.nist.gov/vuln/detail/CVE-2025-47813
Remediation Due Date: 2026-03-30
Suricata
ET WEB_SPECIFIC_APPS Wing FTP Server Information Disclosure Attempt (CVE-2025-47813)
suricata·2026-03-17·CVSS 4.3
CVE-2025-47813 [MEDIUM] ET WEB_SPECIFIC_APPS Wing FTP Server Information Disclosure Attempt (CVE-2025-47813)
ET WEB_SPECIFIC_APPS Wing FTP Server Information Disclosure Attempt (CVE-2025-47813)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wing FTP Server Information Disclosure Attempt (CVE-2025-47813)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:13; content:"/loginok.html"; fast_pattern; http.cookie; bsize:>100; content:"UID|3d|"; startswith; http.request_body; content:"username|3d|"; content:"password|3d|"; reference:url,github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-47813.txt; reference:cve,2025-47813; classtype:attempted-admin; sid:2068290; rev:1; metadata:affected_product Wing_FTP, attack_target Server, tls_state TLSDecrypt, created_at 2026_03_17, cve CVE_2025_47813, deployment Perimeter, deployment Internal, deployment SSLDec
Nuclei
Wing FTP Server <= 7.4.3 - Path Disclosure via Overlong UID Cookie
nuclei·CVSS 10.0
CVE-2025-47813 [CRITICAL] Wing FTP Server <= 7.4.3 - Path Disclosure via Overlong UID Cookie
Wing FTP Server <= 7.4.3 - Path Disclosure via Overlong UID Cookie
Wing FTP Server versions prior to 7.4.4 are vulnerable to an authenticated information disclosure vulnerability (CVE-2025-47813).
The vulnerability occurs due to improper validation of the 'UID' session cookie in the /loginok.html endpoint. Supplying an
overlong UID value causes the server to respond with an error that includes the full local filesystem path. This can aid in further
exploitation (e.g., CVE-2025-47812) by revealing the application’s file system layout.
Template:
id: CVE-2025-47813
info:
name: Wing FTP Server <= 7.4.3 - Path Disclosure via Overlong UID Cookie
author: rcesecurity,pdteam
severity: medium
description: |
Wing FTP Server versions prior to 7.4.4 are vulnerable to an authenticated information di
Bleepingcomputer
CISA flags Wing FTP Server flaw as actively exploited in attacks
blogs_bleepingcomputer·2026-03-16·CVSS 3.4
[LOW] CISA flags Wing FTP Server flaw as actively exploited in attacks
## CISA flags Wing FTP Server flaw as actively exploited in attacks
## Sergiu Gatlan
CISA warned U.S. government agencies to secure their Wing FTP Server instances against an actively exploited vulnerability that may be chained in remote code execution attacks.
Wing FTP Server is a cross-platform FTP server software that also provides secure file transfer via its built-in SFTP and web servers. The developers claim that their file transfer software is used by more than 10,000 customers worldwide, including the U.S. Air Force, Sony, Airbus, Reuters, and Sephora.
Tracked as CVE-2025-47813 , the security flaw allows threat actors with low privileges to discover the full local installation path of the application on unpatched servers.
"Wing FTP Server contains a generation of error message
Bleepingcomputer
Hackers are exploiting critical RCE flaw in Wing FTP Server
blogs_bleepingcomputer·2025-07-12·CVSS 3.4
CVE-2025-47812 [LOW] Hackers are exploiting critical RCE flaw in Wing FTP Server
## Hackers are exploiting critical RCE flaw in Wing FTP Server
## Bill Toulas
Hackers have started to exploit a critical remote code execution vulnerability in Wing FTP Server just one day after technical details on the flaw became public.
The observed attack ran multiple enumeration and reconnaissance commands followed by establishing persistence by creating new users.
The exploited Wing FTP Server vulnerability is tracked as CVE-2025-47812 and received the highest severity score. It is a combination of a null byte and Lua code injection that allows remote a unauthenticated attacker to execute code with the highest privileges on the system (root/SYSTEM).
Wing FTP Server is a powerful solution for managing secure file transfers that can execute Lua scripts, which is widely used in ent
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
2025-07-10
Published
2026-03-16
Added to CISA KEV
Exploited in the wild