cbcvebase.
CVE-2025-47813
published 2025-07-10

CVE-2025-47813: loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie.

PriorityP269medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-03-30
Exploited in the wild
EPSS
56.37%
98.9th percentile
loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie.

Affected

1 ranges
VendorProductVersion rangeFixed in
wftpserverwing_ftp_server< 7.4.47.4.4

Detection & IOCsextracted from sources · hover to see the quote

path/loginok.html
cookieUID=<2048+ chars>
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wing FTP Server Information Disclosure Attempt (CVE-2025-47813)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:13; content:"/loginok.html"; fast_pattern; http.cookie; bsize:>100; content:"UID|3d|"; startswith; http.request_body; content:"username|3d|"; content:"password|3d|"; reference:url,github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-47813.txt; reference:cve,2025-47813; classtype:attempted-admin; sid:2068290; rev:1; metadata:affected_product Wing_FTP, attack_target Server, tls_state TLSDecrypt, created_at 2026_03_17, cve CVE_2025_47813, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2026_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect POST requests to /loginok.html with a UID cookie value exceeding 100 bytes — the core trigger for the path disclosure error response.
  • Use Shodan/FOFA/ZoomEye fingerprints to identify exposed Wing FTP Server instances: favicon hash 963565804, HTML hash 2121146066, title 'Wing FTP Server', or Server header 'Wing FTP Server'.
  • Monitor the Wing FTP Server session directory for suspicious new .lua file additions as a post-exploitation indicator of CVE-2025-47812 follow-on activity.
  • ·The Nuclei template is marked 'verified: false', meaning the detection logic has not been confirmed against a live vulnerable instance.
  • ·The Snort/ET rule requires TLS decryption to be effective against HTTPS-protected Wing FTP web portal traffic (metadata: tls_state TLSDecrypt, deployment SSLDecrypt).
  • ·CVE-2025-47813 requires an authenticated (low-privilege) session; unauthenticated exploitation is not directly possible for this specific path-disclosure flaw, though it is chained with the unauthenticated RCE CVE-2025-47812.

CVSS provenance

nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vulncheck4.3MEDIUM
cisa4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.