Changeflow GovPing Data Privacy & Cybersecurity CISA KEV: Wing FTP Server Path Disclosure Vulne...
Priority review Notice Added Final

CISA KEV: Wing FTP Server Path Disclosure Vulnerability

Favicon for www.cisa.gov CISA Known Exploited Vulnerabilities (KEV)
Published March 17th, 2026
Detected March 17th, 2026
Email

Summary

CISA has added CVE-2025-47813, a path disclosure vulnerability in Wing FTP Server, to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability affects versions prior to 7.4.4 and requires specific conditions to exploit.

View original document View source feed page

What changed

CISA has added CVE-2025-47813 to its Known Exploited Vulnerabilities (KEV) catalog. This entry pertains to a path disclosure vulnerability in Wing FTP Server (versions prior to 7.4.4) where a long value in the UID cookie can reveal the application's full local installation path. The vulnerability has a CVSS score of 4.3 (MEDIUM) and is classified under CWE-209.

Organizations using Wing FTP Server should assess their exposure to this vulnerability. While the KEV catalog does not mandate immediate action, it indicates active exploitation and recommends that federal agencies remove or update affected software. Other entities should consider prioritizing patching or mitigation strategies for this vulnerability to reduce their attack surface.

What to do next

  1. Assess Wing FTP Server installations for versions prior to 7.4.4.
  2. Apply vendor-provided patches or implement mitigation strategies for CVE-2025-47813.
  3. Review security logs for indicators of compromise related to this vulnerability.

Source document (simplified)

Required CVE Record Information

CNA: MITRE Corporation

Description

loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie.

CWE 1 Total

Learn more
- CWE-209: CWE-209 Generation of Error Message Containing Sensitive Information

CVSS 1 Total

Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 4.3 | MEDIUM | 3.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |

Product Status

Learn more Versions 1 Total

Default Status: unaffected

affected

  • affected from 0 before 7.4.4

References 3 Total

Authorized Data Publishers

Learn more

CISA-ADP

Updated:

2026-03-17

SSVC and KEV, plus CVSS and CWE if not provided by the CNA.

SSVC 1 Total

Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | no | total | 2.0.3 | 2026-03-16 |

KEV 1 Total

Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-47813 (2026-03-16)

Related changes

Favicon for www.cisa.gov Google Chrome Skia Out-of-Bounds Write Vulnerability
Priority review Mar 14, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.cisa.gov V8 in Chrome Vulnerable to Code Execution
Priority review Mar 14, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.cisa.gov Apple Use-After-Free Vulnerability Fixed in iOS/iPadOS 17
Priority review Mar 13, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for news.dli.mt.gov Montana DLI Warns About Phishing Scam
Priority review Mar 17, 2026 news.dli.mt.gov Labor & Employment
Favicon for www.maine.gov Maine Revenue Services Warns of W-2 Phishing Scams
Priority review Mar 17, 2026 revenue Tax
Favicon for www.cert.ssi.gouv.fr CERT-FR: Multiple vulnerabilities in Mattermost Server
Priority review Mar 17, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity

Source

Favicon for www.cisa.gov
CISA Known Exploited Vulnerabilities (KEV) cisa.gov/known-exploited-vulnerabilities-catalog
Data Privacy & Cybersecurity
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
CISA
Published
March 17th, 2026
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Technology companies
Geographic scope
National (US)

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Topics
Vulnerability Management Information Security

Browse Categories

Agriculture & Food Safety 61 Banking & Finance 163 Consumer Protection 29 Courts & Legal 206 Data Privacy & Cybersecurity 58 Defense & National Security 48 Education 20 Energy 93 Environment 81 Government & Legislation 240 Healthcare 104 Housing 15 Immigration 8 Insurance 16 Labor & Employment 104 Pharma & Drug Safety 68 Securities & Markets 69 Tax 48 Telecom & Technology 34 Trade & Sanctions 113 Transportation 53

Get Data Privacy & Cybersecurity alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.

Free. Unsubscribe anytime.