Ddos 
Image: RCE Security
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive after adding a new vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, found in the popular Wing FTP Server software, is currently being leveraged by malicious actors to map out internal server structures and facilitate deeper network compromises.
The vulnerability, tracked as CVE-2025-47813, carries a CVSS score of 4.3. While the score is moderate, its inclusion in the KEV catalog underscores the significant risk it poses when used as a building block for more complex attacks.
Wing FTP Server is a widely used multi-protocol solution supporting FTP, HTTP, and SFTP across Windows, Linux, and Mac OS. The vulnerability resides in the /loginok.html endpoint, which fails to properly validate the length of the “UID” session cookie.
If an authenticated attacker supplies a UID value that exceeds the maximum path size of the underlying operating system, the server triggers an error message. This error does more than just report a failure; it discloses the full local server path of the application.
As the report notes:
“Successful exploits can allow an authenticated attacker to get the local server path of the application, which can help in exploiting vulnerabilities like CVE-2025-47812”.
The exploit is remarkably simple to execute, requiring only a basic POST request with a heavily padded UID cookie.
Because this type of flaw is a “frequent attack vector for malicious cyber actors,” CISA has set a strict deadline for federal agencies. Under the Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate this flaw by March 30, 2026.
While the mandate specifically targets federal agencies, private sector organizations using Wing FTP Server are strongly encouraged to follow suit to protect their own data.
Immediate Security Actions:
- Update Now: Upgrade Wing FTP Server to version 7.4.4 or later to resolve the cookie validation issue.
- Audit Permissions: Ensure that even authenticated users have the minimum necessary privileges, reducing the potential impact of a compromised account.
- Review Logs: Monitor server logs for unusual POST requests to
/loginok.htmlor evidence of “cookie padding” (long strings of repetitive characters).
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
