- CISA adds Wing FTP Server bug (CVE-2025-47813) to KEV catalog
- Medium-severity flaw leaks server paths, exploited in chained attacks
- Federal agencies ordered to patch by March 30 or discontinue use
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a new bug to its Known Exploited Vulnerabilities (KEV) catalog, warning US federal agencies about ongoing attacks and urging them to patch up immediately.
The organization added CVE-2025-47813, a bug found in Wing FTP Server, to KEV.
Wing FTP Server is a cross-platform file transfer server used to securely share and manage files, similar to MOVEit or GoAnywhere Managed File Transfer (MFT) solutions. According to its website, it is used by the likes of US AirForce, Airbus, Reuters, and Sony.
Proof of concept
The bug is described as an “information disclosure vulnerability” that can expose sensitive data in error messages. It happens because the application improperly handles a long UID cookie value, triggering an error message that reveals the server’s full local installation path.
It was given a severity score of 4.3/10 (medium). So, it’s not the most critical of all bugs, but it can be used for reconnaissance and chained with other bugs to launch more serious attacks. In fact, this is exactly what is happening in the wild, right now.
According to BleepingComputer, security researcher Julien Ahrens shared proof-of-concept (PoC) exploit code in summer 2025, stressing that the attackers were chaining it with a separate bug, tracked as CVE-2025-47812.
The bug affects all Wing FTP Server versions before 7.4.4 and was patched in May 2025. The same fix addressed two additional bugs - a critical remote code execution (RCE) vulnerability tracked as CVE-2025-57812, and an information disclosure flaw tracked as CVE-2025-27889.
Now, Federal Civilian Executive Branch (FCEB) agencies have a two-week deadline to patch the software, which expires on March 30. Alternatively, they can stop using the product altogether.
"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," CISA said. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."
