THE U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added Wing FTP Server flaw CVE-2025-47813 to its Known Exploited Vulnerabilities (KEV) catalog, with a CVSS score of 4.3. The vulnerability affects Wing FTP Server versions prior to 7.4.4 and arises in the loginok[.]html page during the web authentication process.
An attacker can trigger improper input handling by sending an excessively long UID cookie, causing the server to disclose the full local installation path; this does not enable remote code execution but could aid reconnaissance and facilitate further attacks such as path-based exploitation or file inclusion attempts. The advisory notes that the leak exposes filesystem details that could assist attackers, even though exploitation is not remote code execution.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies must address the identified vulnerabilities by the due date to protect networks. CISA also urges private organisations to review the KEV catalog and remediate the vulnerabilities in their infrastructure, with federal agencies ordered to fix the flaw by 30 March 2026.