INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Wing FTP Server Exploited Vulnerability
| 2026-03-17 05:23 HIGH MEDIUMExecutive Summary AI-generated
The vulnerability, CVE-2025-47813, has been identified as a critical information disclosure bug in all versions of the software prior to and including version 7.4.3. It allows attackers to download and execute malicious Lua files, conduct reconnaissance, and install remote monitoring and management software. The issue was addressed by RCE Security researcher Julien Ahrens in version 7.4.4, which also patched another critical bug that enables remote code execution. As of July 2025, the vulnerability has come under active exploitation in the wild, with federal agencies recommended to apply necessary fixes by March 30, 2026.
Technical Mitigations AI-generated
* Implement secure input validation: Ensure that the "UID" session cookie is properly validated to prevent long values from causing errors and revealing sensitive information.
* Use secure protocols for remote access: Consider using encrypted or secure communication protocols (e.g., HTTPS) when accessing Wing FTP Server instances, especially if they will be used in conjunction with other applications that may also have vulnerabilities.
* Regularly update and patch software: Keep all versions of Wing FTP Server up to date with the latest security patches, including version 7.4.4, which was released after responsible disclosure by Julien Ahrens.
* Monitor for suspicious activity: Regularly monitor server logs and network traffic for signs of unauthorized access or malicious activity, and take prompt action if any issues are detected.
* Implement least privilege access controls: Limit user privileges to only what is necessary for their role, and ensure that all users have a clear understanding of the risks associated with accessing Wing FTP Server instances.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2025-47812CVE-2025-47812
CVE-2025-27889CVE-2025-27889
CVE-2025-47813CVE-2025-47813
Target & Sectors
Global Scope
governmentgovernment
Incident Timeline
November 2021
Threat actors used a known vulnerability in the Wing FTP server to gain unauthorized access and leak sensitive information.
Click on any entity below to view its context and source!
vulnerability
CVE-2025-47813
On Tuesday, CISA
added
CVE-2025-47813 to its
catalog of actively exploited vulnerabilities
and gave Federal Civilian Executive Branch (FCEB) agencies two weeks to secure their systems, as mandated by the November 2021 Binding Operational Directive (BOD) 22-01.
attribution
Federal Civilian Executive Branch
On Tuesday, CISA
added
CVE-2025-47813 to its
catalog of actively exploited vulnerabilities
and gave Federal Civilian Executive Branch (FCEB) agencies two weeks to secure their systems, as mandated by the November 2021 Binding Operational Directive (BOD) 22-01.
attribution
FCEB
On Tuesday, CISA
added
CVE-2025-47813 to its
catalog of actively exploited vulnerabilities
and gave Federal Civilian Executive Branch (FCEB) agencies two weeks to secure their systems, as mandated by the November 2021 Binding Operational Directive (BOD) 22-01.
May 2025
Threat actors exploited a Wing FTP Server v7.4.4 vulnerability to gain remote code execution and leak server paths in May 2025.
Click on any entity below to view its context and source!
vulnerability
CVE-2025-47812
The developer
patched it
in May 2025 in Wing FTP Server v7.4.4, together with a critical remote code execution (RCE) bug (
CVE-2025-47812
) and an information disclosure flaw (
CVE-2025-27889
) that can be used to steal a user's password.
tactic
Remote Code Execution
The developer
patched it
in May 2025 in Wing FTP Server v7.4.4, together with a critical remote code execution (RCE) bug (
CVE-2025-47812
) and an information disclosure flaw (
CVE-2025-27889
) that can be used to steal a user's password.
tactic
T1584.004 - Server
The developer
patched it
in May 2025 in Wing FTP Server v7.4.4, together with a critical remote code execution (RCE) bug (
CVE-2025-47812
) and an information disclosure flaw (
CVE-2025-27889
) that can be used to steal a user's password.
vulnerability
CVE-2025-27889
The developer
patched it
in May 2025 in Wing FTP Server v7.4.4, together with a critical remote code execution (RCE) bug (
CVE-2025-47812
) and an information disclosure flaw (
CVE-2025-27889
) that can be used to steal a user's password.
July 2025
Threat actors used a proof-of-concept exploit to target the Wing FTP server, exploiting an actively leaked vulnerability that allowed attackers to download and execute malicious Lua files.
Click on any entity below to view its context and source!
organisation
Huntress
According to details shared by Huntress at the time, attackers have leveraged it to download and execute malicious Lua files, conduct reconnaissance, and install remote monitoring and management software.
organisation
PoC
Ahrens, in a proof-of-concept (PoC) exploit, shared on GitHub, noted that the endpoint at "/loginok.html" does not properly validate the value of the "UID" session cookie.
organisation
GitHub
Ahrens, in a proof-of-concept (PoC) exploit, shared on GitHub, noted that the endpoint at "/loginok.html" does not properly validate the value of the "UID" session cookie.
Mar 17, 2026
Threat actors exploited a Wing FTP vulnerability to target all versions of the software prior to and including version 7.4.3, which was patched in version 7.4.4 shipped by CISA in May.
Click on any entity below to view its context and source!
organisation
CVE-2025
The vulnerability,
CVE-2025-47813
(CVSS score: 4.3), is an information disclosure vulnerability that leaks the installation path of the application under certain conditions.
infrastructure
7.4.3
The shortcoming affects all versions of the software prior to and including version 7.4.3.
infrastructure
7.4.4
The issue was addressed in version 7.4.4, shipped in May following a responsible disclosure by RCE Security researcher Julien Ahrens.
It's worth noting that version 7.4.4 also patches
CVE-2025-47812
(CVSS score: 10.0), another
critical bug in the same product
that allows for remote code execution.
organisation
RCE Security
The issue was addressed in version 7.4.4, shipped in May following a responsible disclosure by RCE Security researcher Julien Ahrens.
organisation
CVE-2025-47812
It's worth noting that version 7.4.4 also patches
CVE-2025-47812
(CVSS score: 10.0), another
critical bug in the same product
that allows for remote code execution.
infrastructure
10.0
It's worth noting that version 7.4.4 also patches
CVE-2025-47812
(CVSS score: 10.0), another
critical bug in the same product
that allows for remote code execution.
2026-03-17
U.S. CISA adds a flaw in Wing FTP Server to its Known Exploited Vulnerabilities catalog, which allows threat actors with low privileges to discover the full local installation path of the application when using a long value in the UID cookie during loginok.html page authentication.
Click on any entity below to view its context and source!
organisation
CVE-2025-47813
CVE-2025-47813 is an information disclosure vulnerability affecting Wing FTP Server versions prior to 7.4.4.
infrastructure
7.4.4
CVE-2025-47813 is an information disclosure vulnerability affecting Wing FTP Server versions prior to 7.4.4.
organisation
CVE-2025-47812
Security researcher Julien Ahrens, who discovered and reported the flaws, also shared
proof-of-concept exploit code
for CVE-2025-47813 in June and said attackers may exploit it as part of the same chain as CVE-2025-47812.
organisation
UID
“loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie.”
reads the advisory
.
organisation
Wing FTP
Wing FTP Server is a cross-platform FTP server software that also provides secure file transfer via its built-in SFTP and web servers.
organisation
FTP
Wing FTP Server is a cross-platform FTP server software that also provides secure file transfer via its built-in SFTP and web servers.
organisation
SFTP
Wing FTP Server is a cross-platform FTP server software that also provides secure file transfer via its built-in SFTP and web servers.
organisation
the U.S. Air Force
The developers claim that their file transfer software is used by more than 10,000 customers worldwide, including the U.S. Air Force, Sony, Airbus, Reuters, and Sephora.
organisation
Sony
The developers claim that their file transfer software is used by more than 10,000 customers worldwide, including the U.S. Air Force, Sony, Airbus, Reuters, and Sephora.
organisation
Airbus
The developers claim that their file transfer software is used by more than 10,000 customers worldwide, including the U.S. Air Force, Sony, Airbus, Reuters, and Sephora.
organisation
Reuters
The developers claim that their file transfer software is used by more than 10,000 customers worldwide, including the U.S. Air Force, Sony, Airbus, Reuters, and Sephora.
victims
10,000 customers
The developers claim that their file transfer software is used by more than 10,000 customers worldwide, including the U.S. Air Force, Sony, Airbus, Reuters, and Sephora.
organisation
BOD
"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
organisation
The Red Report 2026
The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
March 30, 2026
Threat actors exploited a previously unknown vulnerability in the Wing FTP server, compromising sensitive information.
Click on any entity below to view its context and source!
attribution
Federal Civilian Executive Branch
In light of the latest development, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply the necessary fixes by March 30, 2026.
attribution
FCEB
In light of the latest development, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply the necessary fixes by March 30, 2026.
Tactical Metrics
Metrics
infrastructure
7.4.3
Software Version
Click for context!
The shortcoming affects all versions of the software prior to and including version 7.4.3.
Metrics
infrastructure
7.4.4
Software Version
The issue was addressed in version 7.4.4, shipped in May following a responsible disclosure by RCE Security researcher Julien Ahrens.
It's worth noting that version 7.4.4 also patches
CVE-2025-47812
(CVSS score: 10.0), another
critical bug in the same product
that allows for remote code execution.
CVE-2025-47813 is an information disclosure vulnerability affecting Wing FTP Server versions prior to 7.4.4.
Metrics
infrastructure
10.0
Software Version
It's worth noting that version 7.4.4 also patches
CVE-2025-47812
(CVSS score: 10.0), another
critical bug in the same product
that allows for remote code execution.
Metrics
victims
10,000
Customers
The developers claim that their file transfer software is used by more than 10,000 customers worldwide, including the U.S. Air Force, Sony, Airbus, Reuters, and Sephora.
Intelligence Sources
The Hacker News
2026-03-17
Security Affairs
2026-03-16
BleepingComputer
2026-03-16
CISA flags Wing FTP Server flaw as actively exploited in attacks
BleepingComputer
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T11:00
Comprehensive Tactical Telemetry
Highly Correlated Entities
17x
organisation
Identified Entity
Huntress
entity
9x
attribution
Attributing Entity
Vulnerability / Network Security
authority
7x
timeline
Temporal Reference
Mar 17, 2026
date
3x
vulnerability
Exploited CVE
CVE-2025-47813
cve
3x
infrastructure
Software Version
7.4.3
version
3x
tactic
MITRE ATT&CK Technique
T1584.004 - Server
technique
2x
tactic
Cyber Operation Type
Reconnaissance
tactic
Contextual Telemetry
Context Block
9 METRICS
general metric
Vulnerability
4
vulnerability
general metric
Mar
17
mar
source region
Origin Country
United States
country
vulnerability
CVSS Score
4
score
industry
Targeted Sector
Government
sector
victims
Customers
10,000
customers
general metric
Red Report
2,026
red report
general metric
Malicious Samples
1,100,000
malicious samples
general metric
Top Techniques
10
top techniques
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.