CISA warns of active exploitation of CVE-2025-47813 in Wing FTP Server, which allows attackers to determine the software’s local installation path. The vulnerability can be combined with CVE-2025-47812, a critical vulnerability with a CVSS score of 10.0 that enables code execution with root/SYSTEM privileges. Both vulnerabilities have been patched in version 7.4.4.
Wing FTP Server is software for setting up a secure FTP server with support for FTP, FTPS, HTTP, HTTPS, and SFTP. It is often used to manage large-scale data transfers and control remote servers.
Via CVE-2025-47813, an attacker can use the loginok.html page and a specially crafted session cookie to determine the software’s full local installation path. This information can be used in subsequent attacks.
Two vulnerabilities, one combination
This vulnerability is closely related to a second, more severe flaw: CVE-2025-47812. This security flaw received the maximum CVSS score of 10.0. By injecting a null byte (%00) into the username field, attackers can execute arbitrary Lua code with root/SYSTEM privileges on the server. The vulnerability can even be exploited via anonymous FTP accounts.
Both vulnerabilities were discovered by researcher Julien Ahrens. He reported as early as June of last year that attackers could combine the vulnerabilities to completely take over vulnerable FTP servers. Security firm Huntress documented active exploitation as early as July 1 of last year, just one day after the public disclosure of CVE-2025-47812. It is estimated that around 5,000 internet-accessible servers were vulnerable at that time.
Update available
Last July, CISA already warned that CVE-2025-47812 had been exploited in attacks; now the same applies to CVE-2025-47813. A security update for both vulnerabilities is available in version 7.4.4 of Wing FTP Server.
Read also: Critical Cisco SD-WAN vulnerability has been exploited since 2023