CRITICAL: CISA Adds Wing FTP Vulnerability to KEV as Attackers Chain Flaws for Remote Access

Sometimes a "medium severity" vulnerability is exactly what attackers need to turn a dangerous exploit into a trivial one. That's the situation playing out right now with Wing FTP Server, where a seemingly modest information disclosure bug is helping threat actors leverage a critical remote code execution flaw that's been causing headaches since last summer.

CISA added CVE-2025-47813 to its Known Exploited Vulnerabilities catalog on Monday, confirming what security researchers have suspected for months: attackers aren't just exploiting the catastrophic RCE in Wing FTP — they're using every available tool in the toolbox to make those attacks easier and more reliable. Federal agencies now have until March 30th to patch, and if you're running Wing FTP anywhere in your environment, that deadline should apply to you too.

Here's how this works. CVE-2025-47812, disclosed back in July 2025, is the kind of vulnerability that makes security teams wince. It carries a perfect CVSS score of 10.0, which in practical terms means unauthenticated remote code execution with minimal complexity. Attackers have been actively exploiting it since at least last summer, according to Huntress, who documented threat actors downloading malicious Lua scripts, conducting reconnaissance on compromised systems, and quietly installing remote monitoring and management software for persistent access.

The newer addition to CISA's catalog, CVE-2025-47813, looks almost boring by comparison. A CVSS score of 4.3 suggests a minor issue — just an information disclosure bug that leaks the server's installation path when you send an oversized value in the UID cookie. The /loginok.html endpoint doesn't properly validate cookie lengths, and when the value exceeds the operating system's maximum path size, the resulting error message helpfully reveals exactly where Wing FTP is installed on the server.

That might sound like trivia, but knowing the precise installation path makes exploiting the RCE vulnerability significantly more reliable. Julien Ahrens, the RCE Security researcher who discovered both flaws, explicitly noted this connection in his proof-of-concept documentation. The information disclosure vulnerability transforms what might be a finicky exploit into something consistent and repeatable. In the world of active exploitation, that's the difference between automated mass attacks and time-consuming manual operations.

Wing FTP Server is widely deployed in enterprises for secure file transfer, particularly in regulated industries where compliance requirements drive the need for encrypted FTP, SFTP, and HTTPS file sharing. The software runs on Windows, Linux, and macOS, making it a common sight in heterogeneous environments where different teams have different platform preferences.

Both vulnerabilities were responsibly disclosed to Wing FTP, and the vendor shipped version 7.4.4 in May 2025 to address them. That's where the good news ends. Despite nearly a year passing since the patches became available, enough vulnerable instances remain exposed that attackers continue to find success. The addition of CVE-2025-47813 to the KEV catalog suggests that CISA is seeing these chained attacks against federal networks, which prompted the mandatory remediation deadline for FCEB agencies.

The exploitation pattern documented by Huntress last year remains concerning. Once attackers gain code execution through the RCE vulnerability, they're not just grabbing data and leaving. The observed behavior includes systematic reconnaissance, the deployment of remote access tools for persistence, and staging for potential lateral movement. This isn't smash-and-grab opportunism; it's methodical access establishment that suggests attackers are treating compromised Wing FTP servers as footholds for longer campaigns.

Chained vulnerability exploitation isn't new, but the Wing FTP situation illustrates a pattern that security teams often underestimate. Organizations that performed risk-based prioritization might have patched the critical RCE immediately while deprioritizing the medium-severity information disclosure. After all, CVSS 4.3 doesn't exactly scream urgency when you're triaging a backlog of critical findings.

But attackers don't think in isolation. They look at the entire attack surface and figure out how different weaknesses complement each other. A path disclosure vulnerability by itself might be a footnote. Combined with a powerful RCE that benefits from knowing exact installation paths, it becomes an accelerant. The medium-severity bug makes the critical one more dangerous, more reliable, and more scalable.

This is why patch prioritization based solely on individual CVSS scores can lead organizations astray. Context matters. When two vulnerabilities in the same product were disclosed together, fixed in the same release, and documented by the same researcher, treating them as unrelated findings misses the point. The vendor patched them together for a reason.

The most obvious action is to update Wing FTP Server to at least version 7.4.4, though the current version is likely several releases ahead by now. If you've been putting off this update because the server seems to work fine and nobody has complained, consider this your formal notice that the quiet operation of your FTP infrastructure doesn't mean it's safe.

For organizations that can't immediately patch, restricting network access to Wing FTP's administrative interfaces provides some mitigation. The information disclosure vulnerability requires access to the /loginok.html endpoint, so limiting who can reach the management interface reduces the attack surface. However, this should be treated as a temporary measure while scheduling the actual update, not as a long-term substitute for patching.

If you've been running vulnerable versions of Wing FTP in internet-facing configurations, assume compromise and investigate. Look for unexpected Lua files in the Wing FTP directory structure. Check for remote access tools or new scheduled tasks that you didn't create. Review outbound network connections for command-and-control traffic. The attackers exploiting these vulnerabilities aren't just looking for quick wins — they're establishing persistence for future operations.

File transfer servers continue to be high-value targets because they sit at the intersection of external accessibility and internal data. MoveIT, GoAnywhere, and now Wing FTP have all demonstrated that attackers pay close attention to this category of software. The files being transferred often contain exactly the kind of sensitive information that makes ransomware negotiations more lucrative or espionage operations more productive.

If your organization relies on file transfer infrastructure, this is a good moment to audit not just your patching status but your overall architecture. Are these servers segmented from critical internal systems? Do you have visibility into what's being transferred and to whom? Can you detect unusual access patterns or unexpected administrative actions? The Wing FTP situation will eventually fade from the headlines, but the underlying risk category isn't going anywhere.

CISA's March 30th deadline applies formally to federal agencies, but there's no reason to wait that long. The patches have been available for nearly a year. The exploitation is confirmed. The technical details are public. At this point, remaining vulnerable is a choice, and it's not a defensible one.