Overview
- CVE-2025-47813, now in CISA’s Known Exploited Vulnerabilities catalog, exposes the full local installation path via a long UID cookie in loginok.html.
- Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate the vulnerability by March 30, 2026.
- Wing FTP Server version 7.4.4, released in May 2025, fixes this flaw along with a critical RCE (CVE-2025-47812) and another disclosure issue (CVE-2025-27889).
- Researcher Julien Ahrens published proof-of-concept code for CVE-2025-47813 and warned it may be chained with the previously exploited RCE.
- CISA urged all organizations to apply vendor mitigations or discontinue the product if fixes are unavailable, noting the software’s widespread use across major customers.