Zero-Day Security Alert — March 16, 2026: Wing FTP Server Information Disclosure

Daily Security Briefing

March 16, 2026

CVE-2025-47813 | CVSS 4.3 | MEDIUM Severity | Actively Exploited (CISA KEV)

Affected Product

Wing FTP Server (all versions before 7.4.4) by Wing FTP Software

Description

loginok.html in Wing FTP Server before version 7.4.4 discloses the full local installation path of the application when a long value is supplied in the UID cookie. This information disclosure can be leveraged by authenticated attackers to map server-side directory structures and facilitate further exploitation, including path traversal and targeted file access attacks. The vulnerability is classified as CWE-209 (Generation of Error Message Containing Sensitive Information).

Attack Vector

Network-accessible. Attack complexity is Low. Requires Low-level privileges (authenticated user). No user interaction required. Scope is Unchanged. Confidentiality impact is Low; no integrity or availability impact. Despite the moderate CVSS score, CISA has confirmed active exploitation in the wild, elevating its operational risk for organizations running exposed Wing FTP Server instances.

Remediation

Upgrade Wing FTP Server to version 7.4.4 or later immediately. If an upgrade cannot be applied, apply available vendor mitigations or restrict network access to the FTP server management interface. Per CISA BOD 22-01 guidance, Federal Civilian Executive Branch agencies and organizations following federal security baselines must remediate this vulnerability by the due date. If no mitigations are available, discontinue use of the product.

CISA Remediation Due Date: March 30, 2026

This report is generated automatically from NVD and CISA KEV data.