ACCORDING to CISA, a year-old Wing FTP vulnerability has been exploited in the wild, tracked as CVE-2025-47813, which could disclose the full local installation path of the application when a long value is used in the UID cookie of a logged-in session. The flaw affects Wing FTP Server and was disclosed on 14 May 2025, when version 7.4.4 shipped patches. The issue lies in the loginok[.]html endpoint, where improper UID cookie validation allows an overlong value to reveal the server’s full installation path.
Julien Ahrens of RCE Security, who found the bug and published PoC code, explained that an attacker could use the disclosed path to exploit other vulnerabilities in Wing FTP, including CVE-2025-47812, a related critical flaw patched in 7.4.4 and flagged as exploited in June 2025, with Censys estimating about 5,000 internet‑accessible servers likely susceptible via POST requests. CISA added CVE-2025-47813 to its Known Exploited Vulnerabilities catalog and urged federal agencies to patch by 30 March.