CISA Flags Actively Exploited Wing FTP Vulnerability

What Happened

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has formally added a security vulnerability in Wing FTP Server to its Known Exploited Vulnerabilities (KEV) catalog. The entry, dated for this week, is based on evidence that threat actors are actively exploiting the flaw in the wild. CISA has issued a binding directive for federal civilian agencies to patch their systems, warning that this vulnerability could be chained with other bugs to achieve remote code execution (RCE). This action highlights the immediate threat to both government and private sector networks using this popular file transfer software.

Why It Matters

The inclusion in the KEV catalog is a significant indicator of a clear and present danger. When CISA flags a vulnerability as “actively exploited,” it signifies that attacks are not just theoretical but are occurring, increasing the risk for all unpatched systems. Wing FTP Server is widely used across various industries for managed file transfer, meaning a successful exploit could lead to unauthorized access to sensitive files, data exfiltration, and serve as a foothold for further network compromise. Organizations that fail to patch in response to this directive risk regulatory scrutiny and potentially severe breaches.

Technical Details

The vulnerability, tracked as CVE-2025-47813, is described as a path traversal or information disclosure flaw. Specifically, it allows an unauthenticated attacker to manipulate requests to leak the absolute server file system path. While classified as a medium-severity issue on its own, this information is highly valuable to an attacker. Knowing the full server path is a critical step in crafting more advanced attacks, such as exploiting local file inclusion (LFI) vulnerabilities or refining payloads for subsequent RCE attempts. The flaw affects specific versions of Wing FTP Server, though the exact version range is typically detailed in the vendor’s advisory.

Immediate Risk

The risk is high and requires urgent action. The confirmed active exploitation means that automated scanners and threat actors are likely probing for vulnerable instances. Any organization running an unpatched Wing FTP Server is at direct risk of initial compromise. The potential for this flaw to be part of an attack chain elevates its severity beyond its CVSS score. Federal agencies must comply with CISA’s patch deadline, and private entities should treat this with equal priority to prevent becoming a victim of ongoing campaigns.

Security Insight

This event underscores a critical security principle: context changes risk. A medium-severity vulnerability becomes critically urgent when actively weaponized. Security teams must prioritize patching based on threat activity, not just CVSS scores. The immediate action is to identify all instances of Wing FTP Server in your environment, consult the vendor’s security advisory for the patch addressing CVE-2025-47813, and apply it immediately. Furthermore, monitor logs for unusual path disclosure attempts or unauthorized access to FTP management interfaces as indicators of compromise.