The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning to U.S. government agencies regarding an actively exploited vulnerability in Wing FTP Server. Tracked as CVE-2025-47813, this flaw allows threat actors with low-privilege access to discover the full local installation path of the application on unpatched servers. According to CISA, the vulnerability arises when a long value is used in the UID cookie, leading to the generation of an error message that contains sensitive information. This path disclosure can serve as a critical reconnaissance step, potentially enabling attackers to chain this flaw with other vulnerabilities, such as the critical remote code execution (RCE) bug CVE-2025-47812 that was patched simultaneously, to achieve full system compromise.
Wing FTP Server is a widely deployed, cross-platform file transfer solution that supports FTP, SFTP, and web-based transfers. Its developer claims over 10,000 global customers, including high-profile entities like the U.S. Air Force, Sony, Airbus, Reuters, and Sephora, making it a high-value target for threat actors. The vulnerabilities, discovered and reported by security researcher Julien Ahrens, were addressed by the developer in May 2025 with the release of Wing FTP Server version 7.4.4. Notably, the critical RCE flaw (CVE-2025-47812) was observed being exploited in the wild merely one day after its technical details were publicly disclosed, underscoring the rapid weaponization of such vulnerabilities.
This alert from CISA arrives amidst a series of significant cybersecurity incidents, painting a picture of a complex and active threat landscape. In related news, the UK's Companies House confirmed a security flaw that exposed business data, while Microsoft addressed an outage blocking access to Exchange Online mailboxes and removed a problematic Samsung app from its Store. Separately, a sophisticated attack on Stryker demonstrated that wiping tens of thousands of devices does not always require traditional malware, highlighting evolving attacker techniques. Furthermore, the FBI is seeking victims of a campaign where Steam games were used to spread malware, and a compromised AppsFlyer Web SDK was hijacked to distribute cryptocurrency-stealing JavaScript code.
The convergence of these events emphasizes the critical need for organizations to maintain rigorous patch management and vulnerability remediation programs. The swift exploitation of the Wing FTP Server RCE flaw demonstrates that attackers continuously monitor for public disclosures to launch attacks. For administrators, immediate action is required: all instances of Wing FTP Server must be updated to version 7.4.4 or later without delay. Furthermore, organizations should review their broader attack surface, including third-party SDKs and supply chain components, as evidenced by the AppsFlyer incident, and ensure robust security configurations are in place.
Ultimately, the Wing FTP Server advisory serves as a potent reminder of the persistent risks associated with internet-facing software. In an era where digital infrastructure is under constant siege, proactive defense—comprising timely patching, continuous monitoring, and adherence to security best practices like enabling protections such as Kernel-mode Hardware-enforced Stack Protection in Windows 11—is non-negotiable. As threat actors refine their methods, from exploiting software flaws to abusing trusted platforms, a comprehensive and vigilant security posture remains the most effective defense against increasingly sophisticated cyber threats.
