CISA has added CVE‑2025‑47813 to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects Wing FTP Server, the file‑transfer product from the vendor of the same name, and is identified as the “Wing FTP Server Information Disclosure Vulnerability”. It occurs when the server generates an error message that includes sensitive data after processing an excessively long value in the UID cookie.
The vulnerability is an information‑disclosure weakness. An attacker who can provoke the server to produce an error response can cause it to embed internal details such as configuration values or authentication tokens in the returned message. The attack vector is remote and requires only a crafted request containing an oversized UID cookie. The CVSS v3.1 base score is 4.3, reflecting a medium‑severity impact. No public patch or vendor advisory has been released at the time of writing, and the patch status is listed as unknown.
Because the entry is now in the KEV list, active exploitation has been confirmed by CISA. While there is no current evidence that ransomware groups are leveraging the flaw, the availability of the disclosed data could be incorporated into broader attack chains. CISA has set a remediation deadline of 30 March 2026 for affected Federal Civilian Executive Branch (FCEB) agencies.
CISA’s required remediation action is to “apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable”. Agencies should verify whether a vendor‑supplied mitigation exists and, if not, consider decommissioning the affected Wing FTP Server instances. All other organisations are advised to assess their exposure, implement any available work‑arounds and monitor for further guidance.
For full technical details see the NVD entry for CVE‑2025‑47813 and the CISA KEV catalogue.