CISA warns of actively exploited Wing FTP Server vulnerability

A newly disclosed vulnerability in Wing FTP Server has been added to the Known Exploited Vulnerabilities catalog by the Cybersecurity and Infrastructure Security Agency (CISA), signaling active exploitation in the wild.

What happened

According to Cybernews, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about an actively exploited vulnerability affecting Wing FTP Server, a widely used file transfer solution. The flaw, tracked as CVE-2025-47813, has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, signaling that threat actors are already abusing it in real-world attacks.

The vulnerability allows attackers to trigger error messages that expose sensitive system information, specifically, the full local installation path of the server, by manipulating a UID cookie value.

Going deeper

Security experts caution that the true danger extends beyond just one vulnerability, signaling that this weakness can be combined with other flaws in Wing FTP Server to facilitate a full-scale system breach.

The primary concern is that attackers might combine it with CVE-2025-47812, a critical remote code execution (RCE) vulnerability, allowing them to execute harmful commands on a server. Additionally, they could exploit CVE-2025-27889, an information disclosure flaw, to steal user credentials such as passwords.

Experts say this layered exploitation approach reflects a broader shift in cyberattacks, where multiple vulnerabilities, each with different severity levels, are combined to maximize impact. Rather than relying on a single critical flaw, attackers are increasingly chaining together smaller weaknesses to achieve full system compromise, persistence, and data theft.

What was said

According to Cybernews, CISA stressed the urgency of addressing the vulnerability, noting that “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.”

According to Andrew Obadiaru, Chief Information Security Officer at Cobalt, this is “a textbook example of how attackers don’t need novel exploits to be effective.” Obadiaru explained that attackers are increasingly chaining smaller weaknesses together, stating, “Instead, they chain together known weaknesses, starting with something as seemingly low-impact as information disclosure to map out the environment and identify paths to deeper compromise. The real issue is not the existence of these vulnerabilities, but the lag between disclosure, patching, and remediation across organizations.”

He added that “when a medium-severity flaw becomes the first step in a multi-stage attack leading to remote code execution, it underscores how defenders need to think in terms of attack paths, not individual CVEs.”

Similarly, Dale Hoak of RegScale pointed out how quickly risks can escalate once active exploitation is confirmed. “Security teams often prioritize patching based on severity scores, but adversaries prioritize based on opportunity and accessibility,” he said. Hoak emphasized that the real danger lies in how vulnerabilities are combined: “In this case, the real risk isn’t just the information disclosure flaw itself. It’s how easily it can be chained with an existing RCE vulnerability to escalate impact.”

He noted that this reflects a broader pattern in modern cyberattacks, where attackers combine lower-severity flaws with known exploits to create far more serious compromise paths, indicating a persistent gap in many vulnerability management programs.

The bigger picture

While the vulnerability is classified as medium severity, both The Hacker News and Cybernews suggest that its real danger lies in how it can be leveraged as part of a broader attack chain. The flaw enables attackers to extract sensitive information, such as the server’s installation path, which can aid in reconnaissance and provide valuable insight into the system’s structure.

According to the report, this type of information disclosure can make it easier for threat actors to identify weaknesses and plan follow-on attacks. Rather than acting as a standalone exploit, the vulnerability can be combined with other flaws to escalate access or move laterally within a network.

Both outlets emphasize that even non-critical vulnerabilities can become high-risk in practice, particularly when actively exploited. This reinforces a growing trend in cyberattacks where attackers chain multiple lower-severity issues together to achieve more serious outcomes.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQS

What is the KEV catalog?

The KEV (Known Exploited Vulnerabilities) catalog is a list maintained by Cybersecurity and Infrastructure Security Agency (CISA) that identifies vulnerabilities actively being exploited by cybercriminals.

Why does CISA maintain the KEV catalog?

CISA created the catalog to help organizations prioritize patching by focusing on vulnerabilities that pose real, immediate threats.

What does it mean when a vulnerability is added to KEV?

It means there is verified evidence that attackers are exploiting the vulnerability in real-world attacks.

What is a vulnerability score?

A vulnerability score is a numeric rating that indicates the severity or potential impact of a security flaw, helping organizations prioritize which issues to address first.